]> git.kaiwu.me - nginx.git/commit
Charset: fix buffer over-read in recode_from_utf8().
authorDavid Carlier <devnexen@gmail.com>
Sun, 12 Apr 2026 06:13:23 +0000 (07:13 +0100)
committerSergey Kandaurov <s.kandaurov@f5.com>
Wed, 13 May 2026 17:19:47 +0000 (21:19 +0400)
commit696a7f1b9198d576e6a59c1655b746fbf06561cf
treefd92e06202130485b28a05c2cf243e85c2f72946
parentf37ec3e5d4f527e52ed5b25951ad8aa7d1ff6266
Charset: fix buffer over-read in recode_from_utf8().

When a multi-byte UTF-8 character was split across 3+ single-byte
buffers, the saved bytes continuation path had two related bugs:

ngx_utf8_decode() was called with the last saved-array index instead
of the byte count, causing it to report "incomplete" even when the
sequence was already complete.

The subsequent ngx_memcpy() used that same index as the copy length,
reading past the input buffer boundary.
src/http/modules/ngx_http_charset_filter_module.c