]> git.kaiwu.me - nginx.git/commitdiff
Image filter: fixed reading past the received data master
authorVadim Zhestikov <v.zhestikov@f5.com>
Fri, 17 Jul 2026 20:16:08 +0000 (13:16 -0700)
committerVadimZhestikov <108960056+VadimZhestikov@users.noreply.github.com>
Fri, 17 Jul 2026 22:02:43 +0000 (15:02 -0700)
The size parser and the image decoders used ctx->length, which is the
allocation size (set to image_filter_buffer when the upstream response
omits Content-Length), as the amount of valid data, so a truncated
response without Content-Length could be parsed or decoded past the
received bytes into uninitialized buffer memory.

The length is now adjusted to the actually-read size once the response
body has been read.

Reported by dukesp69 and YLChen-007.

src/http/modules/ngx_http_image_filter_module.c

index 6c03e8aecec9d659edfe9378586434e479927855..283471ea0d067fc4d1ab675c5b1a0f1b97330062 100644 (file)
@@ -510,6 +510,7 @@ ngx_http_image_read(ngx_http_request_t *r, ngx_chain_t *in)
 
         if (b->last_buf) {
             ctx->last = p;
+            ctx->length = p - ctx->image;
             return NGX_OK;
         }
     }