From ccb1365bb181d8bbbe9dce0afff574fad1ed082d Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Wed, 10 Jun 2026 21:12:25 -0700 Subject: [PATCH] Modules: fix out-of-bounds read when loading a shared dict file Previously, ngx_js_dict_parse_entry() parsed numeric values with strtod((char *) p, &p), which has no end awareness. The state file loader allocated a buffer sized to the exact file length and passed end = buf + len, so a numeric token whose digits ran to the very end of the allocation (for example a truncated or tampered state file ending in '"value":123') let strtod() read past the buffer into adjacent pool memory. NUL-terminate the loaded buffer so strtod() stops at the file end. --- nginx/ngx_js_shared_dict.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nginx/ngx_js_shared_dict.c b/nginx/ngx_js_shared_dict.c index 7d002c4e..d9a1fc7c 100644 --- a/nginx/ngx_js_shared_dict.c +++ b/nginx/ngx_js_shared_dict.c @@ -2714,11 +2714,13 @@ ngx_js_dict_load(ngx_js_dict_t *dict) len = size; - buf = ngx_pnalloc(pool, len); + buf = ngx_pnalloc(pool, len + 1); if (buf == NULL) { goto failed; } + buf[len] = '\0'; + n = ngx_read_fd(fd, buf, len); if (n == -1) { -- 2.47.3