Mercurial > hg > nginx
comparison src/core/ngx_regex.c @ 8163:77d5c662f3d9
Fixed segfault if regex studies list allocation fails.
The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
and this used to cause NULL pointer dereference if allocation
failed. Fix is to set cleanup handler only when allocation succeeds.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 18 Apr 2023 06:28:46 +0300 |
parents | d07456044b61 |
children | 533bc2336df4 |
comparison
equal
deleted
inserted
replaced
8162:252a7acd35ce | 8163:77d5c662f3d9 |
---|---|
730 cln = ngx_pool_cleanup_add(cycle->pool, 0); | 730 cln = ngx_pool_cleanup_add(cycle->pool, 0); |
731 if (cln == NULL) { | 731 if (cln == NULL) { |
732 return NULL; | 732 return NULL; |
733 } | 733 } |
734 | 734 |
735 cln->handler = ngx_regex_cleanup; | |
736 cln->data = rcf; | |
737 | |
738 rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t)); | 735 rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t)); |
739 if (rcf->studies == NULL) { | 736 if (rcf->studies == NULL) { |
740 return NULL; | 737 return NULL; |
741 } | 738 } |
739 | |
740 cln->handler = ngx_regex_cleanup; | |
741 cln->data = rcf; | |
742 | 742 |
743 ngx_regex_studies = rcf->studies; | 743 ngx_regex_studies = rcf->studies; |
744 | 744 |
745 return rcf; | 745 return rcf; |
746 } | 746 } |