nginx-quic: src/http/modules/ngx_http_xslt_filter

comparison src/http/modules/ngx_http_xslt_filter_module.c @ 7540:9a970c905045

Xslt: fixed potential buffer overflow with null character. Due to shortcomings of the ccv->zero flag implementation in complex value interface, length of the resulting string from ngx_http_complex_value() might either not include terminating null character or include it, so the only safe way to work with the result is to use it as a null-terminated string. Reported by Patrick Wollgast.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 18 Jul 2019 18:27:54 +0300
parents	595a3de03e91
children	1f3bf1734a77

comparison

equal deleted inserted replaced

-:d75153522557
+:9a970c905045
 static ngx_int_t
 ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
 ngx_array_t *params, ngx_uint_t final)
 {
-u_char                 *p, *last, *value, *dst, *src, **s;
+u_char                 *p, *value, *dst, *src, **s;
 size_t                  len;
 ngx_uint_t              i;
 ngx_str_t               string;
 ngx_http_xslt_param_t  *param;
 }
 ngx_memcpy(p, string.data, string.len + 1);
 }
-last = p + string.len;
 while (p && *p) {
 value = p;
 p = (u_char *) ngx_strchr(p, '=');
 if (p == NULL) {
 if (p) {
 len = p - value;
 *p++ = '\0';
 } else {
-len = last - value;
+len = ngx_strlen(value);
 }
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
 "xslt filter param value: \"%s\"", value);

Mercurial > hg > nginx-quic

comparison src/http/modules/ngx_http_xslt_filter_module.c @ 7540:9a970c905045