[nginx] Fixed incorrect length handling in ngx_utf8_length().
Maxim Dounin
mdounin at mdounin.ru
Mon Apr 15 18:41:59 UTC 2019
details: https://hg.nginx.org/nginx/rev/a42a6dfeb01a
branches:
changeset: 7494:a42a6dfeb01a
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Apr 15 20:14:07 2019 +0300
description:
Fixed incorrect length handling in ngx_utf8_length().
Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.
In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.
Reported by Yunbin Liu.
diffstat:
src/core/ngx_string.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
continue;
}
- if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+ if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
/* invalid UTF-8 */
return n;
}
More information about the nginx-devel
mailing list