If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.
Found with AddressSanitizer.
goto invalid_variable;
}
-#if (NGX_PCRE)
- {
- ngx_uint_t n;
-
if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+#if (NGX_PCRE)
+ ngx_uint_t n;
n = sc->source->data[i] - '0';
i++;
continue;
- }
- }
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+ "using variable \"$%c\" requires "
+ "PCRE library", sc->source->data[i]);
+ return NGX_ERROR;
#endif
+ }
if (sc->source->data[i] == '{') {
bracket = 1;
goto invalid_variable;
}
-#if (NGX_PCRE)
- {
- ngx_uint_t n;
-
if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+#if (NGX_PCRE)
+ ngx_uint_t n;
n = sc->source->data[i] - '0';
i++;
continue;
- }
- }
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+ "using variable \"$%c\" requires "
+ "PCRE library", sc->source->data[i]);
+ return NGX_ERROR;
#endif
+ }
if (sc->source->data[i] == '{') {
bracket = 1;