From 60c4243eb8775d51662a01def8a7dad5d9fb34a7 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Mon, 1 Jun 2026 21:46:48 +0400 Subject: [PATCH] Charset: fixed another rare buffer overread in recode_from_utf8() With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode() stops advancing the pointer position on the first encountered invalid byte. The fix is to adjust the advanced pointer up to the whole saved sequence in this case. Note that this may result in different output compared to complete invalid UTF-8 sequences, which we can disregard at this point. Reported by Han Yan of Xiaomi and p4p3r of CYBERONE. --- src/http/modules/ngx_http_charset_filter_module.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c index edb2db568..e0115e1e4 100644 --- a/src/http/modules/ngx_http_charset_filter_module.c +++ b/src/http/modules/ngx_http_charset_filter_module.c @@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0, "http charset invalid utf 1"); + if (saved < &ctx->saved[ctx->saved_len]) { + saved = &ctx->saved[ctx->saved_len]; + } + } else { dst = ngx_sprintf(dst, "&#%uD;", n); } -- 2.47.3