mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-12 21:52:41 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixed buffer overflow when long URI is processed by "try_files" in

Browse Source 
regex location with "alias" (fixes ticket #135).
This commit is contained in:
Ruslan Ermilov 2012-04-12 09:19:14 +00:00
parent a5bb616af4
commit 3f25e12517
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/http/ngx_http_core_module.c
View File

@ -1228,20 +1228,29 @@ ngx_http_core_try_files_phase(ngx_http_request_t *r,
len = tf->name.len; len = tf->name.len;
} }
/* 16 bytes are preallocation */ if (!alias) {
reserve = ngx_abs((ssize_t) (len - r->uri.len)) + alias + 16; reserve = len > r->uri.len ? len - r->uri.len : 0;
#if (NGX_PCRE)
} else if (clcf->regex) {
reserve = len;
#endif
} else {
reserve = len > r->uri.len - alias ? len - (r->uri.len - alias) : 0;
}
if (reserve > allocated) { if (reserve > allocated) {
/* we just need to allocate path and to copy a root */ /* 16 bytes are preallocation */
allocated = reserve + 16;
if (ngx_http_map_uri_to_path(r, &path, &root, reserve) == NULL) { if (ngx_http_map_uri_to_path(r, &path, &root, allocated) == NULL) {
ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return NGX_OK; return NGX_OK;
} }
name = path.data + root; name = path.data + root;
allocated = path.len - root - (r->uri.len - alias);
} }
if (tf->values == NULL) { if (tf->values == NULL) {