Mercurial > hg > nginx
comparison src/stream/ngx_stream_script.c @ 6644:af642539cd53
Fixed regex captures handling without PCRE.
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.
Found with AddressSanitizer.
| author | Vladimir Homutov <vl@nginx.com> |
|---|---|
| date | Wed, 06 Jul 2016 14:33:40 +0300 |
| parents | c70b7f4537e1 |
| children | 0125b151c9a5 |
comparison
equal
deleted
inserted
replaced
| 6643:9757cffc1e2f | 6644:af642539cd53 |
|---|---|
| 280 | 280 |
| 281 if (++i == sc->source->len) { | 281 if (++i == sc->source->len) { |
| 282 goto invalid_variable; | 282 goto invalid_variable; |
| 283 } | 283 } |
| 284 | 284 |
| 285 if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { | |
| 285 #if (NGX_PCRE) | 286 #if (NGX_PCRE) |
| 286 { | 287 ngx_uint_t n; |
| 287 ngx_uint_t n; | |
| 288 | |
| 289 if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { | |
| 290 | 288 |
| 291 n = sc->source->data[i] - '0'; | 289 n = sc->source->data[i] - '0'; |
| 292 | 290 |
| 293 if (ngx_stream_script_add_capture_code(sc, n) != NGX_OK) { | 291 if (ngx_stream_script_add_capture_code(sc, n) != NGX_OK) { |
| 294 return NGX_ERROR; | 292 return NGX_ERROR; |
| 295 } | 293 } |
| 296 | 294 |
| 297 i++; | 295 i++; |
| 298 | 296 |
| 299 continue; | 297 continue; |
| 300 } | 298 #else |
| 301 } | 299 ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, |
| 300 "using variable \"$%c\" requires " | |
| 301 "PCRE library", sc->source->data[i]); | |
| 302 return NGX_ERROR; | |
| 302 #endif | 303 #endif |
| 304 } | |
| 303 | 305 |
| 304 if (sc->source->data[i] == '{') { | 306 if (sc->source->data[i] == '{') { |
| 305 bracket = 1; | 307 bracket = 1; |
| 306 | 308 |
| 307 if (++i == sc->source->len) { | 309 if (++i == sc->source->len) { |