diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-12-04 07:26:55 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-12-04 07:40:37 -0500 |
commit | ef9608f307205a312891d1afaf90a003548e4ff0 (patch) | |
tree | eec8f15222e14693f9d77adf20dbdf22e2af8cdc | |
parent | d6debd43ffb2edd11901c476fc78e22911880eb3 (diff) | |
download | lighttpd-git-ef9608f307205a312891d1afaf90a003548e4ff0.tar.gz |
[core] fix reqpool mem corruption in 1.4.62 (fixes #3118)
x-ref:
"Segfault after updating to version 1.4.62"
https://redmine.lighttpd.net/issues/3118
"Segfault on closing connections"
https://redmine.lighttpd.net/issues/3119
-rw-r--r-- | src/configfile-glue.c | 2 | ||||
-rw-r--r-- | src/h2.c | 2 | ||||
-rw-r--r-- | src/reqpool.c | 5 | ||||
-rw-r--r-- | src/request.h | 1 |
4 files changed, 6 insertions, 4 deletions
diff --git a/src/configfile-glue.c b/src/configfile-glue.c index e5403626..3486c06c 100644 --- a/src/configfile-glue.c +++ b/src/configfile-glue.c @@ -692,7 +692,7 @@ static int config_pcre_match(request_st * const r, const data_config * const dc, r->cond_match[capture_offset] = r->cond_match_data + capture_offset; if (__builtin_expect( (NULL == cond_match->matches), 0)) { /*(allocate on demand)*/ - cond_match->matches = malloc(dc->ovec_nelts * sizeof(int *)); + cond_match->matches = malloc(dc->ovec_nelts * sizeof(int)); force_assert(cond_match->matches); } cond_match->comp_value = b; /*holds pointer to b (!) for pattern subst*/ @@ -2573,7 +2573,7 @@ h2_init_stream (request_st * const h2r, connection * const con) #ifdef HAVE_PCRE if (srv->config_captures) memcpy(r->cond_match, h2r->cond_match, - srv->config_captures * sizeof(cond_match_t)); + srv->config_captures * sizeof(cond_match_t *)); #endif /*(see request_config_reset() and request_reset_ex())*/ r->server_name = h2r->server_name; diff --git a/src/reqpool.c b/src/reqpool.c index aca37a4d..7ff9871c 100644 --- a/src/reqpool.c +++ b/src/reqpool.c @@ -66,7 +66,8 @@ request_init_data (request_st * const r, connection * const con, server * const force_assert(NULL != r->cond_cache); #ifdef HAVE_PCRE - if (srv->config_captures) {/*(save 128b per con if no regex conditions)*/ + if (srv->config_captures) { + r->cond_captures = srv->config_captures; r->cond_match = calloc(srv->config_captures, sizeof(cond_match_t *)); force_assert(NULL != r->cond_match); r->cond_match_data = calloc(srv->config_captures, sizeof(cond_match_t)); @@ -232,7 +233,7 @@ request_free_data (request_st * const r) free(r->cond_cache); #ifdef HAVE_PCRE if (r->cond_match_data) { - for (int i = 0, used = r->con->srv->config_captures; i < used; ++i) { + for (int i = 0, used = r->cond_captures; i < used; ++i) { #ifdef HAVE_PCRE2_H if (r->cond_match_data[i].match_data) pcre2_match_data_free(r->cond_match_data[i].match_data); diff --git a/src/request.h b/src/request.h index 6a0525b5..2332b6e7 100644 --- a/src/request.h +++ b/src/request.h @@ -194,6 +194,7 @@ struct request_st { struct chunkqueue reqbody_queue; /*(might use tempfiles)*/ struct stat_cache_entry *tmp_sce; /*(value valid only in sequential code)*/ + int cond_captures; }; |