[nginx] Fixed segfault if regex studies list allocation fails.

Sergey Kandaurov pluknet at nginx.com
Tue Apr 18 16:11:42 UTC 2023


details:   https://hg.nginx.org/nginx/rev/77d5c662f3d9
branches:  
changeset: 8163:77d5c662f3d9
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue Apr 18 06:28:46 2023 +0300
description:
Fixed segfault if regex studies list allocation fails.

The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
and this used to cause NULL pointer dereference if allocation
failed.  Fix is to set cleanup handler only when allocation succeeds.

diffstat:

 src/core/ngx_regex.c |  6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diffs (21 lines):

diff -r 252a7acd35ce -r 77d5c662f3d9 src/core/ngx_regex.c
--- a/src/core/ngx_regex.c	Mon Apr 17 14:08:00 2023 +0400
+++ b/src/core/ngx_regex.c	Tue Apr 18 06:28:46 2023 +0300
@@ -732,14 +732,14 @@ ngx_regex_create_conf(ngx_cycle_t *cycle
         return NULL;
     }
 
-    cln->handler = ngx_regex_cleanup;
-    cln->data = rcf;
-
     rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t));
     if (rcf->studies == NULL) {
         return NULL;
     }
 
+    cln->handler = ngx_regex_cleanup;
+    cln->data = rcf;
+
     ngx_regex_studies = rcf->studies;
 
     return rcf;


More information about the nginx-devel mailing list