From: Feng Wu Date: Tue, 23 Jun 2026 23:22:43 +0000 (+0800) Subject: Add missing bounds check in ngx_{http,stream}_compile_complex_value() X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=42f8df65b694fa193cc2519f91cedd08fbe38a2c;p=nginx.git Add missing bounds check in ngx_{http,stream}_compile_complex_value() Complex value compilation scans strings for $1..$9 capture references. Check that a byte after '$' is present before testing it, matching ngx_str_t length semantics and avoiding reliance on NUL termination. Apply the same check to both HTTP and stream implementations. --- diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c index 8f7b548cc..ddae0c1cb 100644 --- a/src/http/ngx_http_script.c +++ b/src/http/ngx_http_script.c @@ -150,7 +150,9 @@ ngx_http_compile_complex_value(ngx_http_compile_complex_value_t *ccv) for (i = 0; i < v->len; i++) { if (v->data[i] == '$') { - if (v->data[i + 1] >= '1' && v->data[i + 1] <= '9') { + if (i + 1 < v->len + && v->data[i + 1] >= '1' && v->data[i + 1] <= '9') + { nc++; } else { diff --git a/src/stream/ngx_stream_script.c b/src/stream/ngx_stream_script.c index c447e152f..175e44194 100644 --- a/src/stream/ngx_stream_script.c +++ b/src/stream/ngx_stream_script.c @@ -151,7 +151,9 @@ ngx_stream_compile_complex_value(ngx_stream_compile_complex_value_t *ccv) for (i = 0; i < v->len; i++) { if (v->data[i] == '$') { - if (v->data[i + 1] >= '1' && v->data[i + 1] <= '9') { + if (i + 1 < v->len + && v->data[i + 1] >= '1' && v->data[i + 1] <= '9') + { nc++; } else {