From 2187586207e1465d289ae64cedc829719a048a39 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Thu, 18 Jul 2019 18:27:54 +0300 Subject: [PATCH] Xslt: fixed potential buffer overflow with null character. Due to shortcomings of the ccv->zero flag implementation in complex value interface, length of the resulting string from ngx_http_complex_value() might either not include terminating null character or include it, so the only safe way to work with the result is to use it as a null-terminated string. Reported by Patrick Wollgast. --- src/http/modules/ngx_http_xslt_filter_module.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/http/modules/ngx_http_xslt_filter_module.c b/src/http/modules/ngx_http_xslt_filter_module.c index ea7ce2a5c..b2f107dc0 100644 --- a/src/http/modules/ngx_http_xslt_filter_module.c +++ b/src/http/modules/ngx_http_xslt_filter_module.c @@ -628,7 +628,7 @@ static ngx_int_t ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx, ngx_array_t *params, ngx_uint_t final) { - u_char *p, *last, *value, *dst, *src, **s; + u_char *p, *value, *dst, *src, **s; size_t len; ngx_uint_t i; ngx_str_t string; @@ -698,8 +698,6 @@ ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx, ngx_memcpy(p, string.data, string.len + 1); } - last = p + string.len; - while (p && *p) { value = p; @@ -729,7 +727,7 @@ ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx, *p++ = '\0'; } else { - len = last - value; + len = ngx_strlen(value); } ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,