Klaus Demo nginx / 2187586
Xslt: fixed potential buffer overflow with null character. Due to shortcomings of the ccv->zero flag implementation in complex value interface, length of the resulting string from ngx_http_complex_value() might either not include terminating null character or include it, so the only safe way to work with the result is to use it as a null-terminated string. Reported by Patrick Wollgast. Maxim Dounin 1 year, 6 months ago
1 changed file(s) with 2 addition(s) and 4 deletion(s). Raw diff Collapse all Expand all
627627 ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
628628 ngx_array_t *params, ngx_uint_t final)
629629 {
630 u_char *p, *last, *value, *dst, *src, **s;
630 u_char *p, *value, *dst, *src, **s;
631631 size_t len;
632632 ngx_uint_t i;
633633 ngx_str_t string;
697697 ngx_memcpy(p, string.data, string.len + 1);
698698 }
699699
700 last = p + string.len;
701
702700 while (p && *p) {
703701
704702 value = p;
728726 *p++ = '\0';
729727
730728 } else {
731 len = last - value;
729 len = ngx_strlen(value);
732730 }
733731
734732 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,