Mercurial > hg > nginx

changeset 6655:873d7053efb9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Geo: fixed access to already freed memory. Previously, in "ranges" mode when all added ranges were deleted, the ctx.high.low[i] was left pointing to a temporary array.
author Valentin Bartenev <vbart@nginx.com>
date Thu, 18 Aug 2016 17:11:03 +0300
parents c131f20c9562
children a2f57dfa65a9
files src/http/modules/ngx_http_geo_module.c src/stream/ngx_stream_geo_module.c
diffstat 2 files changed, 12 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/modules/ngx_http_geo_module.c
+++ b/src/http/modules/ngx_http_geo_module.c
@@ -469,7 +469,12 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_c
             for (i = 0; i < 0x10000; i++) {
                 a = (ngx_array_t *) ctx.high.low[i];
 
-                if (a == NULL || a->nelts == 0) {
+                if (a == NULL) {
+                    continue;
+                }
+
+                if (a->nelts == 0) {
+                    ctx.high.low[i] = NULL;
                     continue;
                 }
 
--- a/src/stream/ngx_stream_geo_module.c
+++ b/src/stream/ngx_stream_geo_module.c
@@ -436,7 +436,12 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx
             for (i = 0; i < 0x10000; i++) {
                 a = (ngx_array_t *) ctx.high.low[i];
 
-                if (a == NULL || a->nelts == 0) {
+                if (a == NULL) {
+                    continue;
+                }
+
+                if (a->nelts == 0) {
+                    ctx.high.low[i] = NULL;
                     continue;
                 }