backport upstreams to fix possible segfault

(cherry picked from commit da88cc128b849b21f0abcc014ecf7c74825ec9c1)
2025-04-02 02:38:53 +00:00 · 2025-04-02 02:38:53 +00:00 · c5b1032d23
commit c5b1032d23
parent 6086ee2e61
2 changed files with 39 additions and 1 deletions
--- a/backport-Fixed-segfault-if-regex-studies-list-allocation-fails.patch
+++ b/backport-Fixed-segfault-if-regex-studies-list-allocation-fails.patch
@ -0,0 +1,34 @@
+From 25c546ac37ba622b93c1a7075bd7eb447bac17b2 Mon Sep 17 00:00:00 2001
+From: Maxim Dounin <mdounin@mdounin.ru>
+Date: Tue, 18 Apr 2023 06:28:46 +0300
+Subject: [PATCH] Fixed segfault if regex studies list allocation fails.
+
+The rcf->studies list is unconditionally accessed by ngx_regex_cleanup(),
+and this used to cause NULL pointer dereference if allocation
+failed.  Fix is to set cleanup handler only when allocation succeeds.
+---
+ src/core/ngx_regex.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/ngx_regex.c b/src/core/ngx_regex.c
+index bebf3b6a83e..91381f49942 100644
+--- a/src/core/ngx_regex.c
+++ b/src/core/ngx_regex.c
+@@ -732,14 +732,14 @@ ngx_regex_create_conf(ngx_cycle_t *cycle)
+         return NULL;
+     }
+ 
+-    cln->handler = ngx_regex_cleanup;
+-    cln->data = rcf;
+-
+     rcf->studies = ngx_list_create(cycle->pool, 8, sizeof(ngx_regex_elt_t));
+     if (rcf->studies == NULL) {
+         return NULL;
+     }
+ 
+    cln->handler = ngx_regex_cleanup;
+    cln->data = rcf;
+
+     ngx_regex_studies = rcf->studies;
+ 
+     return rcf;
--- a/nginx.spec
+++ b/nginx.spec
@ -17,7 +17,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.24.0
-Release:           3
+Release:           4
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@ -43,6 +43,7 @@ Patch3:            backport-CVE-2023-44487.patch
 # https://nginx.org/download/patch.2024.mp4.txt
 Patch4:            backport-CVE-2024-7347.patch
 Patch5:            backport-CVE-2025-23419.patch
+Patch6:            backport-Fixed-segfault-if-regex-studies-list-allocation-fails.patch

 BuildRequires:     gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} openssl
@ -390,6 +391,9 @@ fi
 %{_mandir}/man8/nginx.8*

 %changelog
+* Wed Apr 02 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-4
+- backport upstreams to fix possible segfault
+
 * Thu Feb 06 2025 gaihuiying <eaglegai@163.com> - 1:1.24.0-3
 - fix CVE-2025-23419