From: Feng Wu Date: Sun, 21 Jun 2026 09:30:29 +0000 (+0800) Subject: HTTP/2: fixed overlapping memcpy in CONTINUATION frames X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/NGINX-js-1660x332.png%20%22NGINX%20JavaScript%20Banner%22?a=commitdiff_plain;h=2d71bdcf8b34d9a44608920e34f2d031b3a938b6;p=nginx.git HTTP/2: fixed overlapping memcpy in CONTINUATION frames When processing CONTINUATION frames, ngx_http_v2_handle_continuation() used ngx_memcpy() to shift header block fragment data past the frame header. If the fragment is larger than the frame header (9 bytes), the source and destination regions overlap, which is undefined behavior for memcpy. The same function already uses ngx_memmove() for another overlapping shift. --- diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index 69cb0ae09..7b1efa3ec 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1967,7 +1967,7 @@ ngx_http_v2_handle_continuation(ngx_http_v2_connection_t *h2c, u_char *pos, p = pos; pos += NGX_HTTP_V2_FRAME_HEADER_SIZE; - ngx_memcpy(pos, p, len); + ngx_memmove(pos, p, len); len = ngx_http_v2_parse_length(head);