]> git.kaiwu.me - nginx.git/commit
Charset: fix buffer over-read in recode_from_utf8().
authorDavid Carlier <devnexen@gmail.com>
Sun, 12 Apr 2026 06:13:23 +0000 (07:13 +0100)
committerSergey Kandaurov <s.kandaurov@f5.com>
Wed, 13 May 2026 17:20:55 +0000 (21:20 +0400)
commit54b7945961b2eaafc480d6b85d9635d0db1c126a
treed1af7332c9cb3b1846ad5da3432a7e07bf554f42
parent5461e8bbc09230a4cf8e3d7737c176ae69b091f1
Charset: fix buffer over-read in recode_from_utf8().

When a multi-byte UTF-8 character was split across 3+ single-byte
buffers, the saved bytes continuation path had two related bugs:

ngx_utf8_decode() was called with the last saved-array index instead
of the byte count, causing it to report "incomplete" even when the
sequence was already complete.

The subsequent ngx_memcpy() used that same index as the copy length,
reading past the input buffer boundary.
src/http/modules/ngx_http_charset_filter_module.c