Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer. Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.
While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.
Reported by Matthew Daley.
Maxim Dounin
10 years ago
| 1203 | 1203 | |
| 1204 | 1204 | if (ctx->value_buf == NULL) { |
| 1205 | 1205 | ctx->param->value.data = ngx_pnalloc(r->pool, |
| 1206 | ctx->value_len); | |
| 1206 | ctx->value_len + 1); | |
| 1207 | 1207 | if (ctx->param->value.data == NULL) { |
| 1208 | 1208 | return NGX_ERROR; |
| 1209 | 1209 | } |
| 1373 | 1373 | |
| 1374 | 1374 | case ssi_quoted_symbol_state: |
| 1375 | 1375 | state = ctx->saved_state; |
| 1376 | ||
| 1377 | if (ctx->param->value.len == ctx->value_len) { | |
| 1378 | ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | |
| 1379 | "too long \"%V%c...\" value of \"%V\" " | |
| 1380 | "parameter in \"%V\" SSI command", | |
| 1381 | &ctx->param->value, ch, &ctx->param->key, | |
| 1382 | &ctx->command); | |
| 1383 | state = ssi_error_state; | |
| 1384 | break; | |
| 1385 | } | |
| 1376 | 1386 | |
| 1377 | 1387 | ctx->param->value.data[ctx->param->value.len++] = ch; |
| 1378 | 1388 | |
| 2885 | 2895 | prev->ignore_recycled_buffers, 0); |
| 2886 | 2896 | |
| 2887 | 2897 | ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); |
| 2888 | ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256); | |
| 2898 | ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255); | |
| 2889 | 2899 | |
| 2890 | 2900 | if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, |
| 2891 | 2901 | &prev->types_keys, &prev->types, |