Mercurial > hg > nginx-quic
diff src/http/ngx_http_script.c @ 6644:af642539cd53
Fixed regex captures handling without PCRE.
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.
Found with AddressSanitizer.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 06 Jul 2016 14:33:40 +0300 |
parents | f01ab2dbcfdc |
children | e4590dfd97ff |
line wrap: on
line diff
--- a/src/http/ngx_http_script.c +++ b/src/http/ngx_http_script.c @@ -350,11 +350,9 @@ ngx_http_script_compile(ngx_http_script_ goto invalid_variable; } + if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { #if (NGX_PCRE) - { - ngx_uint_t n; - - if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { + ngx_uint_t n; n = sc->source->data[i] - '0'; @@ -371,9 +369,13 @@ ngx_http_script_compile(ngx_http_script_ i++; continue; - } +#else + ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, + "using variable \"$%c\" requires " + "PCRE library", sc->source->data[i]); + return NGX_ERROR; +#endif } -#endif if (sc->source->data[i] == '{') { bracket = 1;