Hi,
The function php_basename actually DOES access the char at s-1, i.e. one byte before the string it is passed. If you hand it a buffer gotten from malloc you get a valgrind hit. If I use emalloc this doesn't happen, I guess emalloc has some header stuff before the allocation. If for whatever reason s[-1] contains '/' then things would get even worse.
First of all: yes it should be fixed, but it is nothing dangerous. emalloc stores the size of the buffer before the pointer you actually get. On little endian systems this means a '/' can only be directly before the buffer if this buffer is > 752MB big. For big endian systems this this is of course easier ;)
Anyway this size is used only by the memory cache within the ZendEngine and by the memory_limit check. So by overwriting with a zero you could make the ZendEngine believe more memory is allocated that really is. <- No problem. The other thing could be that the block is inserted into the wrong cache position. Because we can only write 0 bytes this is no problem, because we would always insert the free memory block in a block that is assumed to be smaller (so no overflow possible).
Stefan
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
