Mercurial > hg > nginx
changeset 4583:a1d5842064f7
Fixed buffer overflow when long URI is processed by "try_files" in
regex location with "alias" (fixes ticket #135).
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 12 Apr 2012 09:19:14 +0000 |
parents | a8881886a5f7 |
children | 3d51fa5a110d |
files | src/http/ngx_http_core_module.c |
diffstat | 1 files changed, 15 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_core_module.c Wed Apr 11 17:18:15 2012 +0000 +++ b/src/http/ngx_http_core_module.c Thu Apr 12 09:19:14 2012 +0000 @@ -1228,20 +1228,29 @@ len = tf->name.len; } - /* 16 bytes are preallocation */ - reserve = ngx_abs((ssize_t) (len - r->uri.len)) + alias + 16; + if (!alias) { + reserve = len > r->uri.len ? len - r->uri.len : 0; + +#if (NGX_PCRE) + } else if (clcf->regex) { + reserve = len; +#endif + + } else { + reserve = len > r->uri.len - alias ? len - (r->uri.len - alias) : 0; + } if (reserve > allocated) { - /* we just need to allocate path and to copy a root */ - - if (ngx_http_map_uri_to_path(r, &path, &root, reserve) == NULL) { + /* 16 bytes are preallocation */ + allocated = reserve + 16; + + if (ngx_http_map_uri_to_path(r, &path, &root, allocated) == NULL) { ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_OK; } name = path.data + root; - allocated = path.len - root - (r->uri.len - alias); } if (tf->values == NULL) {