From: Dmitry Volyntsev Date: Thu, 11 Jun 2026 04:12:25 +0000 (-0700) Subject: Modules: fix out-of-bounds read when loading a shared dict file X-Git-Tag: 1.0.0~17 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=ccb1365bb181d8bbbe9dce0afff574fad1ed082d;p=njs.git Modules: fix out-of-bounds read when loading a shared dict file Previously, ngx_js_dict_parse_entry() parsed numeric values with strtod((char *) p, &p), which has no end awareness. The state file loader allocated a buffer sized to the exact file length and passed end = buf + len, so a numeric token whose digits ran to the very end of the allocation (for example a truncated or tampered state file ending in '"value":123') let strtod() read past the buffer into adjacent pool memory. NUL-terminate the loaded buffer so strtod() stops at the file end. --- diff --git a/nginx/ngx_js_shared_dict.c b/nginx/ngx_js_shared_dict.c index 7d002c4e..d9a1fc7c 100644 --- a/nginx/ngx_js_shared_dict.c +++ b/nginx/ngx_js_shared_dict.c @@ -2714,11 +2714,13 @@ ngx_js_dict_load(ngx_js_dict_t *dict) len = size; - buf = ngx_pnalloc(pool, len); + buf = ngx_pnalloc(pool, len + 1); if (buf == NULL) { goto failed; } + buf[len] = '\0'; + n = ngx_read_fd(fd, buf, len); if (n == -1) {