Fix bug of n in function of ngx_utf8_length

Maxim Dounin mdounin at mdounin.ru
Fri Apr 12 16:42:53 UTC 2019 

Hello!

On Wed, Apr 10, 2019 at 07:56:26PM +0000, liu yunbin wrote:

> # HG changeset patch
> # User Yunbin Liu yunbinliu at outlook.com
> # Date 1554925873 -28800
> #      Thu Apr 11 03:51:13 2019 +0800
> # Node ID 228b945cf5f8c30356fc5760f696e49545075f00
> # Parent  a6e23e343081b79eb924da985a414909310aa7a3
> Fix bug of n in function of ngx_utf8_length
> 
> diff -r a6e23e343081 -r 228b945cf5f8 src/core/ngx_string.c
> --- a/src/core/ngx_string.c Tue Apr 09 16:00:30 2019 +0300
> +++ b/src/core/ngx_string.c Thu Apr 11 03:51:13 2019 +0800
> @@ -1369,6 +1369,7 @@
>  {
>      u_char  c, *last;
>      size_t  len;
> +    u_char *current_point;
> 
>      last = p + n;
> 
> @@ -1378,13 +1379,16 @@
> 
>          if (c < 0x80) {
>              p++;
> +            n--;
>              continue;
>          }
> 
> +        current_point = p;
>          if (ngx_utf8_decode(&p, n) > 0x10ffff) {
>              /* invalid UTF-8 */
>              return n;
>          }
> +        n -= p - current_point;
>      }
> 
>      return len;

Thanks for the report, this looks like a valid bug (though never 
triggered with current code).  A simplier patch should be 
something like this:

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1555087201 -10800
#      Fri Apr 12 19:40:01 2019 +0300
# Node ID 7c02edae85e317346d5cef2d9d10d6ce23ed432c
# Parent  a6e23e343081b79eb924da985a414909310aa7a3
Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
             continue;
         }
 
-        if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+        if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
             /* invalid UTF-8 */
             return n;
         }


-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list