Mercurial > hg > nginx-quic
comparison src/http/modules/ngx_http_xslt_filter_module.c @ 7540:9a970c905045
Xslt: fixed potential buffer overflow with null character.
Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.
Reported by Patrick Wollgast.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 18 Jul 2019 18:27:54 +0300 |
parents | 595a3de03e91 |
children | 1f3bf1734a77 |
comparison
equal
deleted
inserted
replaced
7539:d75153522557 | 7540:9a970c905045 |
---|---|
626 | 626 |
627 static ngx_int_t | 627 static ngx_int_t |
628 ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx, | 628 ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx, |
629 ngx_array_t *params, ngx_uint_t final) | 629 ngx_array_t *params, ngx_uint_t final) |
630 { | 630 { |
631 u_char *p, *last, *value, *dst, *src, **s; | 631 u_char *p, *value, *dst, *src, **s; |
632 size_t len; | 632 size_t len; |
633 ngx_uint_t i; | 633 ngx_uint_t i; |
634 ngx_str_t string; | 634 ngx_str_t string; |
635 ngx_http_xslt_param_t *param; | 635 ngx_http_xslt_param_t *param; |
636 | 636 |
696 } | 696 } |
697 | 697 |
698 ngx_memcpy(p, string.data, string.len + 1); | 698 ngx_memcpy(p, string.data, string.len + 1); |
699 } | 699 } |
700 | 700 |
701 last = p + string.len; | |
702 | |
703 while (p && *p) { | 701 while (p && *p) { |
704 | 702 |
705 value = p; | 703 value = p; |
706 p = (u_char *) ngx_strchr(p, '='); | 704 p = (u_char *) ngx_strchr(p, '='); |
707 if (p == NULL) { | 705 if (p == NULL) { |
727 if (p) { | 725 if (p) { |
728 len = p - value; | 726 len = p - value; |
729 *p++ = '\0'; | 727 *p++ = '\0'; |
730 | 728 |
731 } else { | 729 } else { |
732 len = last - value; | 730 len = ngx_strlen(value); |
733 } | 731 } |
734 | 732 |
735 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | 733 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
736 "xslt filter param value: \"%s\"", value); | 734 "xslt filter param value: \"%s\"", value); |
737 | 735 |