changeset:   1718:9f11d54f692e
user:        Thomas Klausner <tk@giga.or.at>
date:        Sat Mar 21 12:28:42 2015 +0100
summary:     Avoid integer overflow. Addresses CVE-2015-2331.

--- shlr/zip/zip/zip_dirent.c.orig	2014-12-03 21:56:31 UTC
+++ shlr/zip/zip/zip_dirent.c
@@ -35,6 +35,7 @@
 
 #include <stdio.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <errno.h>
 #include <sys/types.h>
@@ -110,7 +111,7 @@ _zip_cdir_new(zip_uint64_t nentry, struc
 
     if (nentry == 0)
 	cd->entry = NULL;
-    else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*nentry)) == NULL) {
+    else if ((nentry > SIZE_MAX/sizeof(*(cd->entry))) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) {
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	free(cd);
 	return NULL;