Mercurial > hg > nginx

changeset 6655:873d7053efb9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Geo: fixed access to already freed memory. Previously, in "ranges" mode when all added ranges were deleted, the ctx.high.low[i] was left pointing to a temporary array.
author Valentin Bartenev <vbart@nginx.com>
date Thu, 18 Aug 2016 17:11:03 +0300
parents c131f20c9562
children a2f57dfa65a9
files src/http/modules/ngx_http_geo_module.c src/stream/ngx_stream_geo_module.c
diffstat 2 files changed, 12 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/modules/ngx_http_geo_module.c	Wed Aug 10 16:46:39 2016 +0300
+++ b/src/http/modules/ngx_http_geo_module.c	Thu Aug 18 17:11:03 2016 +0300
@@ -469,7 +469,12 @@
             for (i = 0; i < 0x10000; i++) {
                 a = (ngx_array_t *) ctx.high.low[i];
 
-                if (a == NULL || a->nelts == 0) {
+                if (a == NULL) {
+                    continue;
+                }
+
+                if (a->nelts == 0) {
+                    ctx.high.low[i] = NULL;
                     continue;
                 }
 
--- a/src/stream/ngx_stream_geo_module.c	Wed Aug 10 16:46:39 2016 +0300
+++ b/src/stream/ngx_stream_geo_module.c	Thu Aug 18 17:11:03 2016 +0300
@@ -436,7 +436,12 @@
             for (i = 0; i < 0x10000; i++) {
                 a = (ngx_array_t *) ctx.high.low[i];
 
-                if (a == NULL || a->nelts == 0) {
+                if (a == NULL) {
+                    continue;
+                }
+
+                if (a->nelts == 0) {
+                    ctx.high.low[i] = NULL;
                     continue;
                 }