[nginx] Charset filter: improved validation of charset_map with utf-8.

[noreply at nginx.com]

details:   https://github.com/nginx/nginx/commit/a813c639211728a1441945dee149b44a0935f48b
branches:  master
commit:    a813c639211728a1441945dee149b44a0935f48b
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Thu, 27 Feb 2025 18:42:06 +0400
description:
Charset filter: improved validation of charset_map with utf-8.

It was possible to write outside of the buffer used to keep UTF-8
decoded values when parsing conversion table configuration.

Since this happened before UTF-8 decoding, the fix is to check in
advance if character codes are of more than 3-byte sequence.  Note
that this is already enforced by a later check for ngx_utf8_decode()
decoded values for 0xffff, which corresponds to the maximum value
encoded as a valid 3-byte sequence, so the fix does not affect the
valid values.

Found with AddressSanitizer.
Fixes GitHub issue #529.

---
 src/http/modules/ngx_http_charset_filter_module.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
index e52b96e9b..d44da6233 100644
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -1332,6 +1332,12 @@ ngx_http_charset_map(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
     table = ctx->table;
 
     if (ctx->charset->utf8) {
+        if (value[1].len / 2 > NGX_UTF_LEN - 1) {
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                               "invalid value \"%V\"", &value[1]);
+            return NGX_CONF_ERROR;
+        }
+
         p = &table->src2dst[src * NGX_UTF_LEN];
 
         *p++ = (u_char) (value[1].len / 2);