]> git.kaiwu.me - nginx.git/commit
Rewrite: fix buffer overflow with overlapping captures
authorRoman Arutyunyan <arut@nginx.com>
Thu, 14 May 2026 14:42:18 +0000 (18:42 +0400)
committerSergey Kandaurov <s.kandaurov@f5.com>
Fri, 22 May 2026 15:07:28 +0000 (19:07 +0400)
commit3f135ae2eb60ce376196c898a6c7cb4d774f7068
tree9f24aa5cf2faba5c2129e729d43415f81f38fda7
parentfe6b587f81f125c01326d883244b406ce19885a2
Rewrite: fix buffer overflow with overlapping captures

When the rewrite replacement string had no variables, but had
overlapping captures, the length of the allocated buffer could be
smaller than the replacement string.  This could happen either
when the "redirect" parameter is specified, or when arguments are
present in the replacement string.

The following configurations resulted in heap buffer overflow when
using URI "/++++++++++++++++++++++++++++++":

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
        return 200 foo;
    }

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
        return 200 foo;
    }

Reported by Mufeed VH of Winfunc Research.
src/http/ngx_http_script.c