Avoid integer overflow. Addresses CVE-2015-2331. Fixed similarly to patch used in PHP copy of libzip: https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Thanks to Emmanuel Law <emmanuel.law@gmail.com> for the notification about the bug.
diff --git a/lib/zip_dirent.c b/lib/zip_dirent.c index 15ad6d7..ca1917c 100644 --- a/lib/zip_dirent.c +++ b/lib/zip_dirent.c
@@ -105,7 +105,7 @@ if (nentry == 0) cd->entry = NULL; - else if ((cd->entry=(zip_entry_t *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { + else if ((nentry > SIZE_MAX/sizeof(*(cd->entry))) || (cd->entry=(zip_entry_t *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { zip_error_set(error, ZIP_ER_MEMORY, 0); free(cd); return NULL;