details: http://hg.nginx.org/nginx/rev/873d7053efb9 branches: changeset: 6655:873d7053efb9 user: Valentin Bartenev <vb...@nginx.com> date: Thu Aug 18 17:11:03 2016 +0300 description: Geo: fixed access to already freed memory.
Previously, in "ranges" mode when all added ranges were deleted, the ctx.high.low[i] was left pointing to a temporary array. diffstat: src/http/modules/ngx_http_geo_module.c | 7 ++++++- src/stream/ngx_stream_geo_module.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diffs (34 lines): diff -r c131f20c9562 -r 873d7053efb9 src/http/modules/ngx_http_geo_module.c --- a/src/http/modules/ngx_http_geo_module.c Wed Aug 10 16:46:39 2016 +0300 +++ b/src/http/modules/ngx_http_geo_module.c Thu Aug 18 17:11:03 2016 +0300 @@ -469,7 +469,12 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_c for (i = 0; i < 0x10000; i++) { a = (ngx_array_t *) ctx.high.low[i]; - if (a == NULL || a->nelts == 0) { + if (a == NULL) { + continue; + } + + if (a->nelts == 0) { + ctx.high.low[i] = NULL; continue; } diff -r c131f20c9562 -r 873d7053efb9 src/stream/ngx_stream_geo_module.c --- a/src/stream/ngx_stream_geo_module.c Wed Aug 10 16:46:39 2016 +0300 +++ b/src/stream/ngx_stream_geo_module.c Thu Aug 18 17:11:03 2016 +0300 @@ -436,7 +436,12 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx for (i = 0; i < 0x10000; i++) { a = (ngx_array_t *) ctx.high.low[i]; - if (a == NULL || a->nelts == 0) { + if (a == NULL) { + continue; + } + + if (a->nelts == 0) { + ctx.high.low[i] = NULL; continue; } _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel