From 7dcd6c0ebacab6d78ecc34cbac347ef46f79f479 Mon Sep 17 00:00:00 2001
From: Andrei Zeliankou <zelenkov@nginx.com>
Date: Wed, 31 Jan 2024 15:20:33 +0000
Subject: Avoiding arithmetic ops with NULL pointer in nxt_http_arguments_parse

Can be reproduced by test/test_variables.py::test_variables_dynamic_arguments
with enabled UndefinedBehaviorSanitizer:

src/nxt_http_request.c:961:17: runtime error: applying zero offset to null pointer
    #0 0x1050d95a4 in nxt_http_arguments_parse nxt_http_request.c:961
    #1 0x105102bf8 in nxt_http_var_arg nxt_http_variables.c:621
    #2 0x104f95d74 in nxt_var_interpreter nxt_var.c:507
    #3 0x104f98c98 in nxt_tstr_query nxt_tstr.c:265
    #4 0x1050abfd8 in nxt_router_access_log_writer nxt_router_access_log.c:194
    #5 0x1050d81f4 in nxt_http_request_close_handler nxt_http_request.c:838
    #6 0x104fcdc48 in nxt_event_engine_start nxt_event_engine.c:542
    #7 0x104fba838 in nxt_thread_trampoline nxt_thread.c:126
    #8 0x18133e030 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x7030)
    #9 0x181338e38 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1e38)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/nxt_http_request.c:961:17

Reviewed-by: Andrew Clayton <a.clayton@nginx.com>
---
 src/nxt_http_request.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/nxt_http_request.c b/src/nxt_http_request.c
index f8d8d887..425a4607 100644
--- a/src/nxt_http_request.c
+++ b/src/nxt_http_request.c
@@ -946,6 +946,10 @@ nxt_http_arguments_parse(nxt_http_request_t *r)
         return NULL;
     }
 
+    if (nxt_slow_path(r->args->start == NULL)) {
+        goto end;
+    }
+
     hash = NXT_HTTP_FIELD_HASH_INIT;
     name = NULL;
     name_length = 0;
@@ -1026,6 +1030,8 @@ nxt_http_arguments_parse(nxt_http_request_t *r)
         }
     }
 
+end:
+
     r->arguments = args;
 
     return args;
-- 
cgit