Fixed segfault if regex studies list allocation fails.

The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
and this used to cause NULL pointer dereference if allocation
failed.  Fix is to set cleanup handler only when allocation succeeds.

diff --git a/src/core/ngx_regex.c b/src/core/ngx_regex.c
index bebf3b6a83eb49e529cdba63b05c428aa1b20d42..91381f499428b8686c6aeb3c649b0fc5a9aceb45 100644 (file)
--- a/src/core/ngx_regex.c
+++ b/src/core/ngx_regex.c
@@ -732,14 +732,14 @@ ngx_regex_create_conf(ngx_cycle_t *cycle)
         return NULL;
     }
 
-    cln->handler = ngx_regex_cleanup;
-    cln->data = rcf;
-
     rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t));
     if (rcf->studies == NULL) {
         return NULL;
     }
 
+    cln->handler = ngx_regex_cleanup;
+    cln->data = rcf;
+
     ngx_regex_studies = rcf->studies;
 
     return rcf;