Previously, ngx_js_dict_parse_entry() parsed numeric values with
strtod((char *) p, &p), which has no end awareness. The state
file loader allocated a buffer sized to the exact file length and
passed end = buf + len, so a numeric token whose digits ran to the
very end of the allocation (for example a truncated or tampered
state file ending in '"value":123') let strtod() read past the
buffer into adjacent pool memory.
NUL-terminate the loaded buffer so strtod() stops at the file end.
len = size;
- buf = ngx_pnalloc(pool, len);
+ buf = ngx_pnalloc(pool, len + 1);
if (buf == NULL) {
goto failed;
}
+ buf[len] = '\0';
+
n = ngx_read_fd(fd, buf, len);
if (n == -1) {