[PATCH] Gzip: fixed duplicate ngx_pfree() on ctx->preallocated
Maxim Dounin
mdounin at mdounin.ru
Wed Jun 10 16:32:56 UTC 2026
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1781106967 -10800
# Wed Jun 10 18:56:07 2026 +0300
# Node ID 9647f416bbae2c122d3a68976914b7228a8cf15f
# Parent 24b7d1e523493753729c6f77601f96ae22240404
Gzip: fixed duplicate ngx_pfree() on ctx->preallocated.
Previously, the gzip filter called ngx_pfree() on the ctx->preallocated
pointer in ngx_http_gzip_filter_deflate_end() when compression is
finished, but did not clear it. As a result, ngx_pfree() might be
called again in the ngx_http_gzip_body_filter() error handling code path
if an error happened either in ngx_http_gzip_filter_deflate_end() during
allocation of a chain link, or anywhere in the next body filters when
sending the last part of the response.
Potentially, this might cause issues if the same address is used by a
large pool allocation in the next body filters (unlikely in practice
though, especially given that standard body filters running after the
gzip filter don't do any large pool allocations).
The fix is to clear ctx->preallocated after it is freed in
ngx_http_gzip_filter_deflate_end().
Reported by Evan Hellman,
https://github.com/freenginx/nginx/issues/25
diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c
--- a/src/http/modules/ngx_http_gzip_filter_module.c
+++ b/src/http/modules/ngx_http_gzip_filter_module.c
@@ -902,6 +902,7 @@ ngx_http_gzip_filter_deflate_end(ngx_htt
}
ngx_pfree(r->pool, ctx->preallocated);
+ ctx->preallocated = NULL;
cl = ngx_alloc_chain_link(r->pool);
if (cl == NULL) {
More information about the nginx-devel
mailing list