Xslt: fixed potential buffer overflow with null character.
Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.
Reported by Patrick Wollgast.
Maxim Dounin
1 year, 6 months ago
| 627 | 627 | ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx, |
| 628 | 628 | ngx_array_t *params, ngx_uint_t final) |
| 629 | 629 | { |
| 630 | u_char *p, *last, *value, *dst, *src, **s; | |
| 630 | u_char *p, *value, *dst, *src, **s; | |
| 631 | 631 | size_t len; |
| 632 | 632 | ngx_uint_t i; |
| 633 | 633 | ngx_str_t string; |
| 697 | 697 | ngx_memcpy(p, string.data, string.len + 1); |
| 698 | 698 | } |
| 699 | 699 | |
| 700 | last = p + string.len; | |
| 701 | ||
| 702 | 700 | while (p && *p) { |
| 703 | 701 | |
| 704 | 702 | value = p; |
| 728 | 726 | *p++ = '\0'; |
| 729 | 727 | |
| 730 | 728 | } else { |
| 731 | len = last - value; | |
| 729 | len = ngx_strlen(value); | |
| 732 | 730 | } |
| 733 | 731 | |
| 734 | 732 | ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |