[nginx] Geo: fixed access to already freed memory.

Thu Aug 18 14:11:21 UTC 2016

details:   http://hg.nginx.org/nginx/rev/873d7053efb9
branches:  
changeset: 6655:873d7053efb9
user:      Valentin Bartenev <vbart at nginx.com>
date:      Thu Aug 18 17:11:03 2016 +0300
description:
Geo: fixed access to already freed memory.

Previously, in "ranges" mode when all added ranges were deleted,
the ctx.high.low[i] was left pointing to a temporary array.

diffstat:

 src/http/modules/ngx_http_geo_module.c |  7 ++++++-
 src/stream/ngx_stream_geo_module.c     |  7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diffs (34 lines):

diff -r c131f20c9562 -r 873d7053efb9 src/http/modules/ngx_http_geo_module.c

--- a/src/http/modules/ngx_http_geo_module.c	Wed Aug 10 16:46:39 2016 +0300
+++ b/src/http/modules/ngx_http_geo_module.c	Thu Aug 18 17:11:03 2016 +0300
@@ -469,7 +469,12 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_c
             for (i = 0; i < 0x10000; i++) {
                 a = (ngx_array_t *) ctx.high.low[i];
 
-                if (a == NULL || a->nelts == 0) {
+                if (a == NULL) {
+                    continue;
+                }
+
+                if (a->nelts == 0) {
+                    ctx.high.low[i] = NULL;
                     continue;
                 }
 
diff -r c131f20c9562 -r 873d7053efb9 src/stream/ngx_stream_geo_module.c
--- a/src/stream/ngx_stream_geo_module.c	Wed Aug 10 16:46:39 2016 +0300
+++ b/src/stream/ngx_stream_geo_module.c	Thu Aug 18 17:11:03 2016 +0300
@@ -436,7 +436,12 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx
             for (i = 0; i < 0x10000; i++) {
                 a = (ngx_array_t *) ctx.high.low[i];
 
-                if (a == NULL || a->nelts == 0) {
+                if (a == NULL) {
+                    continue;
+                }
+
+                if (a->nelts == 0) {
+                    ctx.high.low[i] = NULL;
                     continue;
                 }
 

