]> git.kaiwu.me - nginx.git/commitdiff
Fixed regex captures handling without PCRE.
authorVladimir Homutov <vl@nginx.com>
Wed, 6 Jul 2016 11:33:40 +0000 (14:33 +0300)
committerVladimir Homutov <vl@nginx.com>
Wed, 6 Jul 2016 11:33:40 +0000 (14:33 +0300)
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.

Found with AddressSanitizer.

src/http/ngx_http_script.c
src/stream/ngx_stream_script.c

index bff95250c73879c519d9f4051366eff941fcaa3c..c2b165801a0e2a4f443c42c44e7bb4aa0c67f2ab 100644 (file)
@@ -350,11 +350,9 @@ ngx_http_script_compile(ngx_http_script_compile_t *sc)
                 goto invalid_variable;
             }
 
-#if (NGX_PCRE)
-            {
-            ngx_uint_t  n;
-
             if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+#if (NGX_PCRE)
+                ngx_uint_t  n;
 
                 n = sc->source->data[i] - '0';
 
@@ -371,9 +369,13 @@ ngx_http_script_compile(ngx_http_script_compile_t *sc)
                 i++;
 
                 continue;
-            }
-            }
+#else
+                ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+                                   "using variable \"$%c\" requires "
+                                   "PCRE library", sc->source->data[i]);
+                return NGX_ERROR;
 #endif
+            }
 
             if (sc->source->data[i] == '{') {
                 bracket = 1;
index edf6e89f8e427ab1fceba32a64beeca00059b22b..8130f925938f152b6b4c67214b8769a3400c9741 100644 (file)
@@ -282,11 +282,9 @@ ngx_stream_script_compile(ngx_stream_script_compile_t *sc)
                 goto invalid_variable;
             }
 
-#if (NGX_PCRE)
-            {
-            ngx_uint_t  n;
-
             if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+#if (NGX_PCRE)
+                ngx_uint_t  n;
 
                 n = sc->source->data[i] - '0';
 
@@ -297,9 +295,13 @@ ngx_stream_script_compile(ngx_stream_script_compile_t *sc)
                 i++;
 
                 continue;
-            }
-            }
+#else
+                ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+                                   "using variable \"$%c\" requires "
+                                   "PCRE library", sc->source->data[i]);
+                return NGX_ERROR;
 #endif
+            }
 
             if (sc->source->data[i] == '{') {
                 bracket = 1;