Xslt: fixed potential buffer overflow with null character.

Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.

Reported by Patrick Wollgast.

diff --git a/src/http/modules/ngx_http_xslt_filter_module.c b/src/http/modules/ngx_http_xslt_filter_module.c
index ea7ce2a5c95a42829bcb429eeb14035752034088..b2f107dc0ac89e44cc7a75bbfede43f07b3aebc4 100644 (file)
--- a/src/http/modules/ngx_http_xslt_filter_module.c
+++ b/src/http/modules/ngx_http_xslt_filter_module.c
@@ -628,7 +628,7 @@ static ngx_int_t
 ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
     ngx_array_t *params, ngx_uint_t final)
 {
-    u_char                 *p, *last, *value, *dst, *src, **s;
+    u_char                 *p, *value, *dst, *src, **s;
     size_t                  len;
     ngx_uint_t              i;
     ngx_str_t               string;
@@ -698,8 +698,6 @@ ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
             ngx_memcpy(p, string.data, string.len + 1);
         }
 
-        last = p + string.len;
-
         while (p && *p) {
 
             value = p;
@@ -729,7 +727,7 @@ ngx_http_xslt_params(ngx_http_request_t *r, ngx_http_xslt_filter_ctx_t *ctx,
                 *p++ = '\0';
 
             } else {
-                len = last - value;
+                len = ngx_strlen(value);
             }
 
             ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,