Never mind, I see it.
On Tue, 1 Apr 2003, Rasmus Lerdorf wrote:
> > socket_iovec_alloc($maxn,$maxn,$maxn);
>
> Didn't I fix that one? Where is the overflow in this:
>
> int i, j, argc = ZEND_NUM_ARGS();
>
> if(argc>65536) {
> WRONG_PARAM_COUNT;
> }
>
> args = emalloc(argc*sizeof(zval**));
>
> if (argc < 1 || zend_get_parameters_array_ex(argc, args) == FAILURE) {
> efree(args);
> WRONG_PARAM_COUNT;
> }
>
> convert_to_long_ex(args[0]);
> num_vectors = Z_LVAL_PP(args[0]);
>
> if((argc-1) < num_vectors) {
> efree(args);
> WRONG_PARAM_COUNT;
> }
> vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));
>
> It's not like argc can be negative, nor can it be >65536, and the two
> sizeof() calls certainly can't overflow... I don't see it.
>
> -Rasmus
>
>
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
