Mercurial > hg > nginx-quic
changeset 6644:af642539cd53
Fixed regex captures handling without PCRE.
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.
Found with AddressSanitizer.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 06 Jul 2016 14:33:40 +0300 |
parents | 9757cffc1e2f |
children | b83a067949a3 |
files | src/http/ngx_http_script.c src/stream/ngx_stream_script.c |
diffstat | 2 files changed, 16 insertions(+), 12 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_script.c +++ b/src/http/ngx_http_script.c @@ -350,11 +350,9 @@ ngx_http_script_compile(ngx_http_script_ goto invalid_variable; } + if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { #if (NGX_PCRE) - { - ngx_uint_t n; - - if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { + ngx_uint_t n; n = sc->source->data[i] - '0'; @@ -371,9 +369,13 @@ ngx_http_script_compile(ngx_http_script_ i++; continue; - } +#else + ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, + "using variable \"$%c\" requires " + "PCRE library", sc->source->data[i]); + return NGX_ERROR; +#endif } -#endif if (sc->source->data[i] == '{') { bracket = 1;
--- a/src/stream/ngx_stream_script.c +++ b/src/stream/ngx_stream_script.c @@ -282,11 +282,9 @@ ngx_stream_script_compile(ngx_stream_scr goto invalid_variable; } + if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { #if (NGX_PCRE) - { - ngx_uint_t n; - - if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { + ngx_uint_t n; n = sc->source->data[i] - '0'; @@ -297,9 +295,13 @@ ngx_stream_script_compile(ngx_stream_scr i++; continue; - } +#else + ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, + "using variable \"$%c\" requires " + "PCRE library", sc->source->data[i]); + return NGX_ERROR; +#endif } -#endif if (sc->source->data[i] == '{') { bracket = 1;