]> git.kaiwu.me - nginx.git/commit
Image filter: fixed reading past the received data master
authorVadim Zhestikov <v.zhestikov@f5.com>
Fri, 17 Jul 2026 20:16:08 +0000 (13:16 -0700)
committerVadimZhestikov <108960056+VadimZhestikov@users.noreply.github.com>
Fri, 17 Jul 2026 22:02:43 +0000 (15:02 -0700)
commit95a24d1b9cdd89608c601748e2fdfe94fb81e7b3
treeb26564ac376632083d0d8800ac9de73a8cbc0506
parentfc9749b4170d493868dfaf44411d8fd9325d2f47
Image filter: fixed reading past the received data

The size parser and the image decoders used ctx->length, which is the
allocation size (set to image_filter_buffer when the upstream response
omits Content-Length), as the amount of valid data, so a truncated
response without Content-Length could be parsed or decoded past the
received bytes into uninitialized buffer memory.

The length is now adjusted to the actually-read size once the response
body has been read.

Reported by dukesp69 and YLChen-007.
src/http/modules/ngx_http_image_filter_module.c