Mercurial > hg > nginx-quic
comparison src/http/ngx_http_core_module.c @ 4583:a1d5842064f7
Fixed buffer overflow when long URI is processed by "try_files" in
regex location with "alias" (fixes ticket #135).
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 12 Apr 2012 09:19:14 +0000 |
parents | 22e613ba0925 |
children | f1a7633b20a4 |
comparison
equal
deleted
inserted
replaced
4582:a8881886a5f7 | 4583:a1d5842064f7 |
---|---|
1226 | 1226 |
1227 } else { | 1227 } else { |
1228 len = tf->name.len; | 1228 len = tf->name.len; |
1229 } | 1229 } |
1230 | 1230 |
1231 /* 16 bytes are preallocation */ | 1231 if (!alias) { |
1232 reserve = ngx_abs((ssize_t) (len - r->uri.len)) + alias + 16; | 1232 reserve = len > r->uri.len ? len - r->uri.len : 0; |
1233 | |
1234 #if (NGX_PCRE) | |
1235 } else if (clcf->regex) { | |
1236 reserve = len; | |
1237 #endif | |
1238 | |
1239 } else { | |
1240 reserve = len > r->uri.len - alias ? len - (r->uri.len - alias) : 0; | |
1241 } | |
1233 | 1242 |
1234 if (reserve > allocated) { | 1243 if (reserve > allocated) { |
1235 | 1244 |
1236 /* we just need to allocate path and to copy a root */ | 1245 /* 16 bytes are preallocation */ |
1237 | 1246 allocated = reserve + 16; |
1238 if (ngx_http_map_uri_to_path(r, &path, &root, reserve) == NULL) { | 1247 |
1248 if (ngx_http_map_uri_to_path(r, &path, &root, allocated) == NULL) { | |
1239 ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); | 1249 ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); |
1240 return NGX_OK; | 1250 return NGX_OK; |
1241 } | 1251 } |
1242 | 1252 |
1243 name = path.data + root; | 1253 name = path.data + root; |
1244 allocated = path.len - root - (r->uri.len - alias); | |
1245 } | 1254 } |
1246 | 1255 |
1247 if (tf->values == NULL) { | 1256 if (tf->values == NULL) { |
1248 | 1257 |
1249 /* tf->name.len includes the terminating '\0' */ | 1258 /* tf->name.len includes the terminating '\0' */ |