diff options
author | Reyk Floeter <reyk@esdenera.com> | 2015-06-20 18:07:50 +0200 |
---|---|---|
committer | Reyk Floeter <reyk@esdenera.com> | 2015-06-20 18:07:50 +0200 |
commit | 5a2b3f8c4b6ca5a92e5f975c4c6ddf8564b6409c (patch) | |
tree | 1e1a3520e848df8cf48c389b3d05f383bee3f5d2 | |
parent | f3f57c7673a69d373ac1b2d64d919ea504d9f7f0 (diff) | |
download | httpd-5a2b3f8c4b6ca5a92e5f975c4c6ddf8564b6409c.tar.gz httpd-5a2b3f8c4b6ca5a92e5f975c4c6ddf8564b6409c.zip |
capture_to_close() wasn't checked (it returns -1 on error) and caused
a panic when using a ")(" pattern.
Found by Sebastien Marie
-rw-r--r-- | httpd/patterns.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/httpd/patterns.c b/httpd/patterns.c index b7cb381..23c7083 100644 --- a/httpd/patterns.c +++ b/httpd/patterns.c @@ -291,6 +291,8 @@ end_capture(struct match_state *ms, const char *s, const char *p) { int l = capture_to_close(ms); const char *res; + if (l == -1) + return NULL; /* close capture */ ms->capture[l].len = s - ms->capture[l].init; /* undo capture if match failed */ |