> socket_iovec_alloc($maxn,$maxn,$maxn);
Didn't I fix that one? Where is the overflow in this:
int i, j, argc = ZEND_NUM_ARGS();
if(argc>65536) {
WRONG_PARAM_COUNT;
}
args = emalloc(argc*sizeof(zval**));
if (argc < 1 || zend_get_parameters_array_ex(argc, args) == FAILURE) {
efree(args);
WRONG_PARAM_COUNT;
}
convert_to_long_ex(args[0]);
num_vectors = Z_LVAL_PP(args[0]);
if((argc-1) < num_vectors) {
efree(args);
WRONG_PARAM_COUNT;
}
vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));
It's not like argc can be negative, nor can it be >65536, and the two
sizeof() calls certainly can't overflow... I don't see it.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
