From 161fcf4bddca789b15dcf22b1e1d80cdabc24114 Mon Sep 17 00:00:00 2001
From: Vladimir Homutov <vl@nginx.com>
Date: Wed, 6 Jul 2016 14:33:40 +0300
Subject: [PATCH] Fixed regex captures handling without PCRE.

If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.

Found with AddressSanitizer.
---
 src/http/ngx_http_script.c     | 14 ++++++++------
 src/stream/ngx_stream_script.c | 14 ++++++++------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
index bff95250c..c2b165801 100644
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -350,11 +350,9 @@ ngx_http_script_compile(ngx_http_script_compile_t *sc)
                 goto invalid_variable;
             }
 
-#if (NGX_PCRE)
-            {
-            ngx_uint_t  n;
-
             if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+#if (NGX_PCRE)
+                ngx_uint_t  n;
 
                 n = sc->source->data[i] - '0';
 
@@ -371,9 +369,13 @@ ngx_http_script_compile(ngx_http_script_compile_t *sc)
                 i++;
 
                 continue;
-            }
-            }
+#else
+                ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+                                   "using variable \"$%c\" requires "
+                                   "PCRE library", sc->source->data[i]);
+                return NGX_ERROR;
 #endif
+            }
 
             if (sc->source->data[i] == '{') {
                 bracket = 1;
diff --git a/src/stream/ngx_stream_script.c b/src/stream/ngx_stream_script.c
index edf6e89f8..8130f9259 100644
--- a/src/stream/ngx_stream_script.c
+++ b/src/stream/ngx_stream_script.c
@@ -282,11 +282,9 @@ ngx_stream_script_compile(ngx_stream_script_compile_t *sc)
                 goto invalid_variable;
             }
 
-#if (NGX_PCRE)
-            {
-            ngx_uint_t  n;
-
             if (sc->source->data[i] >= '1' && sc->source->data[i] <= '9') {
+#if (NGX_PCRE)
+                ngx_uint_t  n;
 
                 n = sc->source->data[i] - '0';
 
@@ -297,9 +295,13 @@ ngx_stream_script_compile(ngx_stream_script_compile_t *sc)
                 i++;
 
                 continue;
-            }
-            }
+#else
+                ngx_conf_log_error(NGX_LOG_EMERG, sc->cf, 0,
+                                   "using variable \"$%c\" requires "
+                                   "PCRE library", sc->source->data[i]);
+                return NGX_ERROR;
 #endif
+            }
 
             if (sc->source->data[i] == '{') {
                 bracket = 1;