Mercurial > hg > nginx
comparison src/http/ngx_http_script.c @ 6644:af642539cd53
Fixed regex captures handling without PCRE.
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.
Found with AddressSanitizer.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 06 Jul 2016 14:33:40 +0300 |
parents | f01ab2dbcfdc |
children | e4590dfd97ff |
comparison
equal
deleted
inserted
replaced
6643:9757cffc1e2f | 6644:af642539cd53 |
---|---|
348 | 348 |
349 if (++i == sc->source->len) { | 349 if (++i == sc->source->len) { |
350 goto invalid_variable; | 350 goto invalid_variable; |
351 } | 351 } |
352 | 352 |
353 if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { | |
353 #if (NGX_PCRE) | 354 #if (NGX_PCRE) |
354 { | 355 ngx_uint_t n; |
355 ngx_uint_t n; | |
356 | |
357 if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { | |
358 | 356 |
359 n = sc->source->data[i] - '0'; | 357 n = sc->source->data[i] - '0'; |
360 | 358 |
361 if (sc->captures_mask & (1 << n)) { | 359 if (sc->captures_mask & (1 << n)) { |
362 sc->dup_capture = 1; | 360 sc->dup_capture = 1; |
369 } | 367 } |
370 | 368 |
371 i++; | 369 i++; |
372 | 370 |
373 continue; | 371 continue; |
372 #else | |
373 ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, | |
374 "using variable \"$%c\" requires " | |
375 "PCRE library", sc->source->data[i]); | |
376 return NGX_ERROR; | |
377 #endif | |
374 } | 378 } |
375 } | |
376 #endif | |
377 | 379 |
378 if (sc->source->data[i] == '{') { | 380 if (sc->source->data[i] == '{') { |
379 bracket = 1; | 381 bracket = 1; |
380 | 382 |
381 if (++i == sc->source->len) { | 383 if (++i == sc->source->len) { |