Possible event buffer overrun #27
Description
In functions uev_run, the variable ee is declared to be an array of struct epoll_event with size UEV_MAX_EVENTS. This buffer is used in a call to epoll_wait with its maxevent parameter set to ctx->maxevents.
It may be that the intent is that ctx->maxevents can not be bigger than UEV_MAX_EVENTS, but this is not enforced in uev_init1. Therefore, with the default UEV_MAX_EVENTS set to 10, I could use uev_init1 to set the ctx->maxevents to 20, and then the ee buffer be overrun in the call to epoll_wait.
Of course, it is unlikely that so many events will occur simultaneously, so in real-life this vulnerability is very unlikely to occur. Nevertheless, I thought you might want to be aware.