items and size have the unsigned int type (32-bit).
So the result of multiplication also will be 32-bit while malloc takes size_t.
E.g. at values 0x80000000 and 0x2malloc will take 0 when should take 0x100000000 on 64-bit systems.
Such issues may lead to memory corruptions because the allocated buffer size will be smaller than expected. However, in the zlib codebase, a vulnerable function is always called with controlled parameters, so for now there are no security concerns here.
items
andsize
have theunsigned int
type (32-bit). So the result of multiplication also will be 32-bit while malloc takessize_t
. E.g. at values0x80000000
and0x2
malloc
will take0
when should take0x100000000
on 64-bit systems.Such issues may lead to memory corruptions because the allocated buffer size will be smaller than expected. However, in the
zlib
codebase, a vulnerable function is always called with controlled parameters, so for now there are no security concerns here.