Mercurial > hg > nginx
comparison src/core/ngx_regex.c @ 8163:77d5c662f3d9
Fixed segfault if regex studies list allocation fails.
The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
and this used to cause NULL pointer dereference if allocation
failed. Fix is to set cleanup handler only when allocation succeeds.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 18 Apr 2023 06:28:46 +0300 |
| parents | d07456044b61 |
| children | 533bc2336df4 |
comparison
equal
deleted
inserted
replaced
| 8162:252a7acd35ce | 8163:77d5c662f3d9 |
|---|---|
| 730 cln = ngx_pool_cleanup_add(cycle->pool, 0); | 730 cln = ngx_pool_cleanup_add(cycle->pool, 0); |
| 731 if (cln == NULL) { | 731 if (cln == NULL) { |
| 732 return NULL; | 732 return NULL; |
| 733 } | 733 } |
| 734 | 734 |
| 735 cln->handler = ngx_regex_cleanup; | |
| 736 cln->data = rcf; | |
| 737 | |
| 738 rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t)); | 735 rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t)); |
| 739 if (rcf->studies == NULL) { | 736 if (rcf->studies == NULL) { |
| 740 return NULL; | 737 return NULL; |
| 741 } | 738 } |
| 739 | |
| 740 cln->handler = ngx_regex_cleanup; | |
| 741 cln->data = rcf; | |
| 742 | 742 |
| 743 ngx_regex_studies = rcf->studies; | 743 ngx_regex_studies = rcf->studies; |
| 744 | 744 |
| 745 return rcf; | 745 return rcf; |
| 746 } | 746 } |