Author: ru
Date: 2012-04-12 09:19:14 +0000 (Thu, 12 Apr 2012)
New Revision: 4584
URL: http://trac.nginx.org/nginx/changeset/4584/nginx

Log:
Fixed buffer overflow when long URI is processed by "try_files" in
regex location with "alias" (fixes ticket #135).


Modified:
trunk/src/http/ngx_http_core_module.c

Modified: trunk/src/http/ngx_http_core_module.c
===================================================================
--- trunk/src/http/ngx_http_core_module.c 2012-04-11 17:18:15 UTC (rev 4583)
+++ trunk/src/http/ngx_http_core_module.c 2012-04-12 09:19:14 UTC (rev 4584)
@@ -1228,20 +1228,29 @@
len = tf->name.len;
}

- /* 16 bytes are preallocation */
- reserve = ngx_abs((ssize_t) (len - r->uri.len)) + alias + 16;
+ if (!alias) {
+ reserve = len > r->uri.len ? len - r->uri.len : 0;

+#if (NGX_PCRE)
+ } else if (clcf->regex) {
+ reserve = len;
+#endif
+
+ } else {
+ reserve = len > r->uri.len - alias ? len - (r->uri.len - alias) : 0;
+ }
+
if (reserve > allocated) {

- /* we just need to allocate path and to copy a root */
+ /* 16 bytes are preallocation */
+ allocated = reserve + 16;

- if (ngx_http_map_uri_to_path(r, &path, &root, reserve) == NULL) {
+ if (ngx_http_map_uri_to_path(r, &path, &root, allocated) == NULL) {
ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return NGX_OK;
}

name = path.data + root;
- allocated = path.len - root - (r->uri.len - alias);
}

if (tf->values == NULL) {

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel