When processing CONTINUATION frames, ngx_http_v2_handle_continuation()
used ngx_memcpy() to shift header block fragment data past the frame
header. If the fragment is larger than the frame header (9 bytes),
the source and destination regions overlap, which is undefined
behavior for memcpy. The same function already uses ngx_memmove()
for another overlapping shift.
p = pos;
pos += NGX_HTTP_V2_FRAME_HEADER_SIZE;
- ngx_memcpy(pos, p, len);
+ ngx_memmove(pos, p, len);
len = ngx_http_v2_parse_length(head);