From: Sergey Kandaurov Date: Mon, 1 Jun 2026 17:46:48 +0000 (+0400) Subject: Charset: fixed another rare buffer overread in recode_from_utf8() X-Git-Tag: release-1.30.3~1 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=60c4243eb8775d51662a01def8a7dad5d9fb34a7;p=nginx.git Charset: fixed another rare buffer overread in recode_from_utf8() With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode() stops advancing the pointer position on the first encountered invalid byte. The fix is to adjust the advanced pointer up to the whole saved sequence in this case. Note that this may result in different output compared to complete invalid UTF-8 sequences, which we can disregard at this point. Reported by Han Yan of Xiaomi and p4p3r of CYBERONE. --- diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c index edb2db568..e0115e1e4 100644 --- a/src/http/modules/ngx_http_charset_filter_module.c +++ b/src/http/modules/ngx_http_charset_filter_module.c @@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0, "http charset invalid utf 1"); + if (saved < &ctx->saved[ctx->saved_len]) { + saved = &ctx->saved[ctx->saved_len]; + } + } else { dst = ngx_sprintf(dst, "&#%uD;", n); }