]> git.kaiwu.me - nginx.git/commitdiff
Charset: fixed another rare buffer overread in recode_from_utf8()
authorSergey Kandaurov <pluknet@nginx.com>
Mon, 1 Jun 2026 17:46:48 +0000 (21:46 +0400)
committerRoman Arutyunyan <arutyunyan.roman@gmail.com>
Wed, 17 Jun 2026 15:15:33 +0000 (08:15 -0700)
With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte
overread on invalid UTF-8 sequences.  The reason is ngx_utf8_decode()
stops advancing the pointer position on the first encountered invalid
byte.  The fix is to adjust the advanced pointer up to the whole saved
sequence in this case.  Note that this may result in different output
compared to complete invalid UTF-8 sequences, which we can disregard
at this point.

Reported by Han Yan of Xiaomi and p4p3r of CYBERONE.

src/http/modules/ngx_http_charset_filter_module.c

index edb2db5683077dcb17a74eda963187e3ef6283a5..e0115e1e4435794f1ee0b6da9ffdd38c6bbe2681 100644 (file)
@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf,
         ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0,
                        "http charset invalid utf 1");
 
+        if (saved < &ctx->saved[ctx->saved_len]) {
+            saved = &ctx->saved[ctx->saved_len];
+        }
+
     } else {
         dst = ngx_sprintf(dst, "&#%uD;", n);
     }