[nginx] Fixed regex captures handling without PCRE.

Vladimir Homutov vl at nginx.com
Fri Jul 22 14:46:23 UTC 2016 

details:   http://hg.nginx.org/nginx/rev/af642539cd53
branches:  
changeset: 6644:af642539cd53
user:      Vladimir Homutov <vl at nginx.com>
date:      Wed Jul 06 14:33:40 2016 +0300
description:
Fixed regex captures handling without PCRE.

If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.

Found with AddressSanitizer.

diffstat:

 src/http/ngx_http_script.c     |  14 ++++++++------
 src/stream/ngx_stream_script.c |  14 ++++++++------
 2 files changed, 16 insertions(+), 12 deletions(-)

diffs (66 lines):

diff -r 9757cffc1e2f -r af642539cd53 src/http/ngx_http_script.c
--- a/src/http/ngx_http_script.c	Tue Jun 14 18:29:46 2016 +0300
+++ b/src/http/ngx_http_script.c	Wed Jul 06 14:33:40 2016 +0300
@@ -350,11 +350,9 @@ ngx_http_script_compile(ngx_http_script_
                 goto invalid_variable;
             }
 
+            if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
 #if (NGX_PCRE)
-            {
-            ngx_uint_t  n;
-
-            if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+                ngx_uint_t  n;
 
                 n = sc->source->data[i] - '0';
 
@@ -371,9 +369,13 @@ ngx_http_script_compile(ngx_http_script_
                 i++;
 
                 continue;
+#else
+                ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+                                   "using variable \"$%c\" requires "
+                                   "PCRE library", sc->source->data[i]);
+                return NGX_ERROR;
+#endif
             }
-            }
-#endif
 
             if (sc->source->data[i] == '{') {
                 bracket = 1;
diff -r 9757cffc1e2f -r af642539cd53 src/stream/ngx_stream_script.c
--- a/src/stream/ngx_stream_script.c	Tue Jun 14 18:29:46 2016 +0300
+++ b/src/stream/ngx_stream_script.c	Wed Jul 06 14:33:40 2016 +0300
@@ -282,11 +282,9 @@ ngx_stream_script_compile(ngx_stream_scr
                 goto invalid_variable;
             }
 
+            if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
 #if (NGX_PCRE)
-            {
-            ngx_uint_t  n;
-
-            if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+                ngx_uint_t  n;
 
                 n = sc->source->data[i] - '0';
 
@@ -297,9 +295,13 @@ ngx_stream_script_compile(ngx_stream_scr
                 i++;
 
                 continue;
+#else
+                ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+                                   "using variable \"$%c\" requires "
+                                   "PCRE library", sc->source->data[i]);
+                return NGX_ERROR;
+#endif
             }
-            }
-#endif
 
             if (sc->source->data[i] == '{') {
                 bracket = 1;

More information about the nginx-devel mailing list