On Sat, Oct 1, 2011 at 2:08 AM, agentzh <agentzh@gmail.com> wrote:
>
> Thank you for the review. I've already updated the patch per your
> suggestion and tested on my side :)
>
Markus Linnala has found a memory overflow issue in my previous patch.
Here attaches an updated one for nginx 1.0.9.
Thanks!
-agentzh
--- nginx-1.0.9/src/http/ngx_http_variables.c 2011-05-30
20:36:17.000000000 +0800
+++ nginx-1.0.9-patched/src/http/ngx_http_variables.c 2011-11-08
22:21:55.229247198 +0800
@@ -648,7 +648,17 @@
a = (ngx_array_t *) ((char *) r + data);
- n = a->nelts;
+ h = a->elts;
+ n = 0;
+
+ for (i = 0; i < a->nelts; i++) {
+
+ if (h[i]->hash == 0) {
+ continue;
+ }
+
+ n++;
+ }
if (n == 0) {
v->not_found = 1;
@@ -659,9 +669,7 @@
v->no_cacheable = 0;
v->not_found = 0;
- h = a->elts;
-
- if (n == 1) {
+ if (n == 1 && a->nelts == 1) {
v->len = (*h)->value.len;
v->data = (*h)->value.data;
@@ -670,7 +678,12 @@
len = - (ssize_t) (sizeof("; ") - 1);
- for (i = 0; i < n; i++) {
+ for (i = 0; i < a->nelts; i++) {
+
+ if (h[i]->hash == 0) {
+ continue;
+ }
+
len += h[i]->value.len + sizeof("; ") - 1;
}
@@ -683,9 +696,14 @@
v->data = p;
for (i = 0; /* void */ ; i++) {
+
+ if (h[i]->hash == 0) {
+ continue;
+ }
+
p = ngx_copy(p, h[i]->value.data, h[i]->value.len);
- if (i == n - 1) {
+ if (--n == 0) {
break;
}
@@ -738,6 +756,10 @@
i = 0;
}
+ if (header[i].hash == 0) {
+ continue;
+ }
+
for (n = 0; n + prefix < var->len && n < header[i].key.len; n++) {
ch = header[i].key.data[n];
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel