Mercurial > hg > nginx
comparison src/http/ngx_http_script.c @ 6644:af642539cd53
Fixed regex captures handling without PCRE.
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.
Found with AddressSanitizer.
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Wed, 06 Jul 2016 14:33:40 +0300 |
| parents | f01ab2dbcfdc |
| children | e4590dfd97ff |
comparison
equal
deleted
inserted
replaced
| 6643:9757cffc1e2f | 6644:af642539cd53 |
|---|---|
| 348 | 348 |
| 349 if (++i == sc->source->len) { | 349 if (++i == sc->source->len) { |
| 350 goto invalid_variable; | 350 goto invalid_variable; |
| 351 } | 351 } |
| 352 | 352 |
| 353 if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { | |
| 353 #if (NGX_PCRE) | 354 #if (NGX_PCRE) |
| 354 { | 355 ngx_uint_t n; |
| 355 ngx_uint_t n; | |
| 356 | |
| 357 if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { | |
| 358 | 356 |
| 359 n = sc->source->data[i] - '0'; | 357 n = sc->source->data[i] - '0'; |
| 360 | 358 |
| 361 if (sc->captures_mask & (1 << n)) { | 359 if (sc->captures_mask & (1 << n)) { |
| 362 sc->dup_capture = 1; | 360 sc->dup_capture = 1; |
| 369 } | 367 } |
| 370 | 368 |
| 371 i++; | 369 i++; |
| 372 | 370 |
| 373 continue; | 371 continue; |
| 372 #else | |
| 373 ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, | |
| 374 "using variable \"$%c\" requires " | |
| 375 "PCRE library", sc->source->data[i]); | |
| 376 return NGX_ERROR; | |
| 377 #endif | |
| 374 } | 378 } |
| 375 } | |
| 376 #endif | |
| 377 | 379 |
| 378 if (sc->source->data[i] == '{') { | 380 if (sc->source->data[i] == '{') { |
| 379 bracket = 1; | 381 bracket = 1; |
| 380 | 382 |
| 381 if (++i == sc->source->len) { | 383 if (++i == sc->source->len) { |