Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with incorrect length, potentially resulting in out-of-bounds read when handling invalid UTF-8 strings. In practice out-of-bounds reads are not possible though, as autoindex, the only user of ngx_utf8_length(), provides null-terminated strings, and ngx_utf8_decode() anyway returns an errors when it sees a null in the middle of an UTF-8 sequence. Reported by Yunbin Liu.
author: Maxim Dounin <mdounin@mdounin.ru> 2019-04-15 20:14:07 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2019-04-15 20:14:07 +0300
commit: f09eae2a7586c5149fe7eaa497c8ff1be684270f (patch)
tree: 2df53cfd90a3d3cc337f2867aec447c2b4f59109 /src/core/ngx_string.c
parent: 5784889fb907485978919b91c2c7f6bf0c4843e3 (diff)
download: nginx-f09eae2a7586c5149fe7eaa497c8ff1be684270f.tar.gz
nginx-f09eae2a7586c5149fe7eaa497c8ff1be684270f.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
index 04980f8c3..468e9600c 100644
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
             continue;
         }
 
-        if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+        if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
             /* invalid UTF-8 */
             return n;
         }
author	Maxim Dounin <mdounin@mdounin.ru>	2019-04-15 20:14:07 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2019-04-15 20:14:07 +0300
commit	f09eae2a7586c5149fe7eaa497c8ff1be684270f (patch)
tree	2df53cfd90a3d3cc337f2867aec447c2b4f59109 /src/core/ngx_string.c
parent	5784889fb907485978919b91c2c7f6bf0c4843e3 (diff)
download	nginx-f09eae2a7586c5149fe7eaa497c8ff1be684270f.tar.gz nginx-f09eae2a7586c5149fe7eaa497c8ff1be684270f.zip