From: Vadim Zhestikov Date: Fri, 17 Jul 2026 20:16:08 +0000 (-0700) Subject: Image filter: fixed reading past the received data X-Git-Url: http://git.kaiwu.me/http/static/doc//%22data:,/%22?a=commitdiff_plain;h=HEAD;p=nginx.git Image filter: fixed reading past the received data The size parser and the image decoders used ctx->length, which is the allocation size (set to image_filter_buffer when the upstream response omits Content-Length), as the amount of valid data, so a truncated response without Content-Length could be parsed or decoded past the received bytes into uninitialized buffer memory. The length is now adjusted to the actually-read size once the response body has been read. Reported by dukesp69 and YLChen-007. --- diff --git a/src/http/modules/ngx_http_image_filter_module.c b/src/http/modules/ngx_http_image_filter_module.c index 6c03e8aec..283471ea0 100644 --- a/src/http/modules/ngx_http_image_filter_module.c +++ b/src/http/modules/ngx_http_image_filter_module.c @@ -510,6 +510,7 @@ ngx_http_image_read(ngx_http_request_t *r, ngx_chain_t *in) if (b->last_buf) { ctx->last = p; + ctx->length = p - ctx->image; return NGX_OK; } }