From 95a24d1b9cdd89608c601748e2fdfe94fb81e7b3 Mon Sep 17 00:00:00 2001 From: Vadim Zhestikov Date: Fri, 17 Jul 2026 13:16:08 -0700 Subject: [PATCH] Image filter: fixed reading past the received data The size parser and the image decoders used ctx->length, which is the allocation size (set to image_filter_buffer when the upstream response omits Content-Length), as the amount of valid data, so a truncated response without Content-Length could be parsed or decoded past the received bytes into uninitialized buffer memory. The length is now adjusted to the actually-read size once the response body has been read. Reported by dukesp69 and YLChen-007. --- src/http/modules/ngx_http_image_filter_module.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/http/modules/ngx_http_image_filter_module.c b/src/http/modules/ngx_http_image_filter_module.c index 6c03e8aec..283471ea0 100644 --- a/src/http/modules/ngx_http_image_filter_module.c +++ b/src/http/modules/ngx_http_image_filter_module.c @@ -510,6 +510,7 @@ ngx_http_image_read(ngx_http_request_t *r, ngx_chain_t *in) if (b->last_buf) { ctx->last = p; + ctx->length = p - ctx->image; return NGX_OK; } } -- 2.47.3