]> git.kaiwu.me - nginx.git/commit
Rewrite: fix buffer overflow with overlapping captures
authorRoman Arutyunyan <arut@nginx.com>
Thu, 14 May 2026 14:42:18 +0000 (18:42 +0400)
committerRoman Arutyunyan <arutyunyan.roman@gmail.com>
Fri, 22 May 2026 14:55:09 +0000 (18:55 +0400)
commitca4f92a27464ae6c2082245e4f67048c633aa032
tree842b902bdb09229a897a31b94534c9486ffcf1c1
parent475732a3f9dfe82fc2ecdb0a7426083c9c1ee965
Rewrite: fix buffer overflow with overlapping captures

When the rewrite replacement string had no variables, but had
overlapping captures, the length of the allocated buffer could be
smaller than the replacement string.  This could happen either
when the "redirect" parameter is specified, or when arguments are
present in the replacement string.

The following configurations resulted in heap buffer overflow when
using URI "/++++++++++++++++++++++++++++++":

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
        return 200 foo;
    }

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
        return 200 foo;
    }

Reported by Mufeed VH of Winfunc Research.
src/http/ngx_http_script.c