upstream/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-05-28 04:12:47 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Rewrite: harden escape flags control
Some checks are pending
buildbot / buildbot (push) Waiting to run
Details

Browse source 
Following 2046b45aa0, this change introduces better control of memory
allocation flags for escaped values.  Notably:

- The e->is_args flag is now explicitly reset on rewrite start.
  If the flag was set prior to rewrite start, then buffer overflow
  could happen before 2046b45aa0.

- The le->is_args flag value is now copied from e->is_args when
  calculating complex value length for "if" and "set" directives.
  If e->is_args was set, but le->is_args was not, then buffer overflow
  could happen before 2046b45aa0.
This commit is contained in:
Roman Arutyunyan 2026-05-14 17:47:42 +04:00 committed by Roman Arutyunyan
parent eff1108854
commit 475732a3f9
1 changed files with 2 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/http/ngx_http_script.c
View file

@ -1183,6 +1183,7 @@ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
return;
}
e->is_args = 0;
e->quote = code->redirect;
e->pos = e->buf.data;
@ -1769,6 +1770,7 @@ ngx_http_script_complex_value_code(ngx_http_script_engine_t *e)
le.ip = code->lengths->elts;
le.line = e->line;
le.request = e->request;
le.is_args = e->is_args;
le.quote = e->quote;
for (len = 0; *(uintptr_t *) le.ip; len += lcode(&le)) {