File tree Expand file tree Collapse file tree 1 file changed +9
-5
lines changed Expand file tree Collapse file tree 1 file changed +9
-5
lines changed Original file line number Diff line number Diff line change @@ -1113,19 +1113,23 @@ PHP_FUNCTION(socket_iovec_alloc)
11131113 convert_to_long_ex (args [0 ]);
11141114 num_vectors = Z_LVAL_PP (args [0 ]);
11151115
1116- if ((argc - 1 ) < num_vectors ) {
1116+ if (num_vectors < 0 || (argc - 1 ) < num_vectors ) {
11171117 efree (args );
11181118 WRONG_PARAM_COUNT ;
11191119 }
1120+
11201121 vector_array = emalloc (sizeof (struct iovec )* (num_vectors + 1 ));
11211122
11221123 for (i = 0 , j = 1 ; i < num_vectors ; i ++ , j ++ ) {
11231124 convert_to_long_ex (args [j ]);
1124-
1125- if (Z_LVAL_PP (args [j ])> 0 ) {
1126- vector_array [i ].iov_base = (char * )emalloc (Z_LVAL_PP (args [j ]));
1127- vector_array [i ].iov_len = Z_LVAL_PP (args [j ]);
1125+ if (Z_LVAL_PP (args [j ])<=0 || Z_LVAL_PP (args [j ])> 1048576 ) {
1126+ php_error (E_WARNING , "%s() vector %d is invalid" , get_active_function_name (TSRMLS_C ), j );
1127+ efree (args );
1128+ efree (vector_array );
1129+ RETURN_FALSE ;
11281130 }
1131+ vector_array [i ].iov_base = (char * )emalloc (Z_LVAL_PP (args [j ]));
1132+ vector_array [i ].iov_len = Z_LVAL_PP (args [j ]);
11291133 }
11301134
11311135 efree (args );
You can’t perform that action at this time.
0 commit comments