Mercurial > hg > nginx-quic
comparison src/http/ngx_http_core_module.c @ 4583:a1d5842064f7
Fixed buffer overflow when long URI is processed by "try_files" in
regex location with "alias" (fixes ticket #135).
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Thu, 12 Apr 2012 09:19:14 +0000 |
| parents | 22e613ba0925 |
| children | f1a7633b20a4 |
comparison
equal
deleted
inserted
replaced
| 4582:a8881886a5f7 | 4583:a1d5842064f7 |
|---|---|
| 1226 | 1226 |
| 1227 } else { | 1227 } else { |
| 1228 len = tf->name.len; | 1228 len = tf->name.len; |
| 1229 } | 1229 } |
| 1230 | 1230 |
| 1231 /* 16 bytes are preallocation */ | 1231 if (!alias) { |
| 1232 reserve = ngx_abs((ssize_t) (len - r->uri.len)) + alias + 16; | 1232 reserve = len > r->uri.len ? len - r->uri.len : 0; |
| 1233 | |
| 1234 #if (NGX_PCRE) | |
| 1235 } else if (clcf->regex) { | |
| 1236 reserve = len; | |
| 1237 #endif | |
| 1238 | |
| 1239 } else { | |
| 1240 reserve = len > r->uri.len - alias ? len - (r->uri.len - alias) : 0; | |
| 1241 } | |
| 1233 | 1242 |
| 1234 if (reserve > allocated) { | 1243 if (reserve > allocated) { |
| 1235 | 1244 |
| 1236 /* we just need to allocate path and to copy a root */ | 1245 /* 16 bytes are preallocation */ |
| 1237 | 1246 allocated = reserve + 16; |
| 1238 if (ngx_http_map_uri_to_path(r, &path, &root, reserve) == NULL) { | 1247 |
| 1248 if (ngx_http_map_uri_to_path(r, &path, &root, allocated) == NULL) { | |
| 1239 ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); | 1249 ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); |
| 1240 return NGX_OK; | 1250 return NGX_OK; |
| 1241 } | 1251 } |
| 1242 | 1252 |
| 1243 name = path.data + root; | 1253 name = path.data + root; |
| 1244 allocated = path.len - root - (r->uri.len - alias); | |
| 1245 } | 1254 } |
| 1246 | 1255 |
| 1247 if (tf->values == NULL) { | 1256 if (tf->values == NULL) { |
| 1248 | 1257 |
| 1249 /* tf->name.len includes the terminating '\0' */ | 1258 /* tf->name.len includes the terminating '\0' */ |