Add missing bounds check in ngx_{http,stream}_compile_complex_value()

Complex value compilation scans strings for $1..$9 capture references. Check that a byte after '$' is present before testing it, matching ngx_str_t length semantics and avoiding reliance on NUL termination. Apply the same check to both HTTP and stream implementations.
2026-06-29 21:31:51 +00:00 · 2026-06-24 07:22:43 +08:00 · 2026-06-24 07:22:43 +08:00 · 42f8df65b6
commit 42f8df65b6
parent 2d71bdcf8b
2 changed files with 6 additions and 2 deletions
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@ -150,7 +150,9 @@ ngx_http_compile_complex_value(ngx_http_compile_complex_value_t *ccv)

    for (i = 0; i < v->len; i++) {
        if (v->data[i] == '$') {
-            if (v->data[i + 1] >= '1' && v->data[i + 1] <= '9') {
+            if (i + 1 < v->len
+                && v->data[i + 1] >= '1' && v->data[i + 1] <= '9')
+            {
                nc++;

            } else {
--- a/src/stream/ngx_stream_script.c
+++ b/src/stream/ngx_stream_script.c
@ -151,7 +151,9 @@ ngx_stream_compile_complex_value(ngx_stream_compile_complex_value_t *ccv)

    for (i = 0; i < v->len; i++) {
        if (v->data[i] == '$') {
-            if (v->data[i + 1] >= '1' && v->data[i + 1] <= '9') {
+            if (i + 1 < v->len
+                && v->data[i + 1] >= '1' && v->data[i + 1] <= '9')
+            {
                nc++;

            } else {