On June 4, 2003 01:12 pm, Moriyoshi Koizumi wrote: If (srclen + (chunks + 1) * endlen + 1) overflows and results in a <0 number, the result of the multiplication inside safe_emalloc would still be negative and we'll trigger the integer overflow check.
Ilia > "Ilia Alshanetsky" <[EMAIL PROTECTED]> wrote: > > - chunk_split (2) > > I might be missing something, but is chunk_split() really binary safe? > > dest = safe_emalloc(sizeof(char), (srclen + (chunks + 1) * endlen + 1), 0); > > What if integer overflow occurs during the calculation of (chunks + 1) * > endlen? > > Moriyoshi -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
