Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:571
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22466 invoked from network); 1 Apr 2003 17:17:34 -0000
Received: from unknown (HELO www.lerdorf.com) (66.93.78.119)
  by pb1.pair.com with SMTP; 1 Apr 2003 17:17:34 -0000
Received: from rasmus2.corp.yahoo.com (rasmus2.corp.yahoo.com [207.126.232.175])
	by www.lerdorf.com (8.12.9/8.12.9/Debian-1) with ESMTP id h31HHTfD028725
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Tue, 1 Apr 2003 09:17:32 -0800
Date: Tue, 1 Apr 2003 09:17:30 -0800 (PST)
To: Sascha Schumann <sascha@schumann.cx>
cc: internals@lists.php.net
In-Reply-To: <Pine.LNX.4.53.0304011226570.1146@eco.foo>
Message-ID: <Pine.LNX.4.44.0304010914040.868-100000@thinkpad.lerdorf.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] further segfaults in php
From: rasmus@lerdorf.com (Rasmus Lerdorf)
References: <Pine.LNX.4.53.0304011226570.1146@eco.foo>

>     socket_iovec_alloc($maxn,$maxn,$maxn);

Didn't I fix that one?  Where is the overflow in this:

    int             i, j, argc = ZEND_NUM_ARGS();

    if(argc>65536) {
        WRONG_PARAM_COUNT;
    }

    args = emalloc(argc*sizeof(zval**));

    if (argc < 1 || zend_get_parameters_array_ex(argc, args) == FAILURE) {
        efree(args);
        WRONG_PARAM_COUNT;
    }

    convert_to_long_ex(args[0]);
    num_vectors = Z_LVAL_PP(args[0]);

    if((argc-1) < num_vectors) {
        efree(args);
        WRONG_PARAM_COUNT;
    }
    vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));

It's not like argc can be negative, nor can it be >65536, and the two 
sizeof() calls certainly can't overflow...  I don't see it.

-Rasmus