From: Rasmus Lerdorf <rasmus@php.net>
Date: Tue, 1 Apr 2003 18:12:24 +0000 (+0000)
Subject: Ok, really fix socket_iovec_alloc() this time
X-Git-Tag: php-4.3.2RC2~209
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=724429c759efcb07063d8181b90398fdc4feea22;p=php

Ok, really fix socket_iovec_alloc() this time
---

diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index c8371eb70d..54eefb966f 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1113,19 +1113,23 @@ PHP_FUNCTION(socket_iovec_alloc)
 	convert_to_long_ex(args[0]);
 	num_vectors = Z_LVAL_PP(args[0]);
 
-	if((argc-1)	< num_vectors) {
+	if(num_vectors < 0 || (argc-1) < num_vectors) {
 		efree(args);
 		WRONG_PARAM_COUNT;
 	}
+
 	vector_array = emalloc(sizeof(struct iovec)*(num_vectors+1));
 
 	for (i = 0, j = 1; i < num_vectors; i++, j++) {
 		convert_to_long_ex(args[j]);
-	
-		if(Z_LVAL_PP(args[j])>0) {
-			vector_array[i].iov_base	= (char*)emalloc(Z_LVAL_PP(args[j]));
-			vector_array[i].iov_len		= Z_LVAL_PP(args[j]);
+		if(Z_LVAL_PP(args[j])<=0 || Z_LVAL_PP(args[j])>1048576) {
+	        php_error(E_WARNING, "%s() vector %d is invalid", get_active_function_name(TSRMLS_C), j);
+			efree(args);
+			efree(vector_array);
+			RETURN_FALSE;
 		}
+		vector_array[i].iov_base	= (char*)emalloc(Z_LVAL_PP(args[j]));
+		vector_array[i].iov_len		= Z_LVAL_PP(args[j]);
 	}
 	
 	efree(args);