# HG changeset patch # User Vladimir Homutov # Date 1467804820 -10800 # Node ID af642539cd5395b792c5fbf19959b0cf274de053 # Parent 9757cffc1e2f9ce3b81b1ef63f88831623700d1b Fixed regex captures handling without PCRE. If PCRE is disabled, captures were treated as normal variables in ngx_http_script_compile(), while code calculating flushes array length in ngx_http_compile_complex_value() did not account captures as variables. This could lead to write outside of the array boundary when setting last element to -1. Found with AddressSanitizer. diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c --- a/src/http/ngx_http_script.c +++ b/src/http/ngx_http_script.c @@ -350,11 +350,9 @@ ngx_http_script_compile(ngx_http_script_ goto invalid_variable; } + if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { #if (NGX_PCRE) - { - ngx_uint_t n; - - if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { + ngx_uint_t n; n = sc->source->data[i] - '0'; @@ -371,9 +369,13 @@ ngx_http_script_compile(ngx_http_script_ i++; continue; - } +#else + ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, + "using variable \"$%c\" requires " + "PCRE library", sc->source->data[i]); + return NGX_ERROR; +#endif } -#endif if (sc->source->data[i] == '{') { bracket = 1; diff --git a/src/stream/ngx_stream_script.c b/src/stream/ngx_stream_script.c --- a/src/stream/ngx_stream_script.c +++ b/src/stream/ngx_stream_script.c @@ -282,11 +282,9 @@ ngx_stream_script_compile(ngx_stream_scr goto invalid_variable; } + if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { #if (NGX_PCRE) - { - ngx_uint_t n; - - if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') { + ngx_uint_t n; n = sc->source->data[i] - '0'; @@ -297,9 +295,13 @@ ngx_stream_script_compile(ngx_stream_scr i++; continue; - } +#else + ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0, + "using variable \"$%c\" requires " + "PCRE library", sc->source->data[i]); + return NGX_ERROR; +#endif } -#endif if (sc->source->data[i] == '{') { bracket = 1;