Fijxu/nginx-quic
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Xslt: fixed potential buffer overflow with null character.

Browse source 
Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.

Reported by Patrick Wollgast.
This commit is contained in:
Maxim Dounin 2019-07-18 18:27:54 +03:00
parent 28ff4274dd
commit d084acda51
1 changed files with 2 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/http/modules/ngx_http_xslt_filter_module.c
View file

@ -628,7 +628,7 @@ static ngx_int_t
ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
ngx_array_t *params, ngx_uint_t final)
{
u_char *p, *last, *value, *dst, *src, **s;
u_char *p, *value, *dst, *src, **s;
size_t len;
ngx_uint_t i;
ngx_str_t string;
@ -698,8 +698,6 @@ ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
ngx_memcpy(p, string.data, string.len + 1);
}
last = p + string.len;
while (p && *p) {
value = p;
@ -729,7 +727,7 @@ ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
*p++ = '\0';
} else {
len = last - value;
len = ngx_strlen(value);
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,