[nginx] Charset: fixed handling of invalid UTF-8 characters.

Maxim Dounin mdounin at mdounin.ru
Fri Jun 26 18:30:28 UTC 2026


details:   http://freenginx.org/hg/nginx/rev/2fe98aa7ebc8
branches:  
changeset: 9567:2fe98aa7ebc8
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Fri Jun 26 21:08:20 2026 +0300
description:
Charset: fixed handling of invalid UTF-8 characters.

Previously, if an invalid UTF-8 character was split between buffers,
ngx_decode_utf8() might return an error and a position within the bytes
saved from the first buffer, but the following code did not expect this
and might end up reading a byte before the second buffer
(CVE-2026-48142).

The fix is to copy bytes from ctx->saved directly, and only adjust src
for the bytes which are from the second buffer.

See also:
https://github.com/nginx/nginx/commit/319a0bff157b15d9061f4712b2edbe6fdd2dee66

diffstat:

 src/http/modules/ngx_http_charset_filter_module.c |  4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diffs (14 lines):

diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -865,6 +865,10 @@ ngx_http_charset_recode_from_utf8(ngx_po
         ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0,
                        "http charset invalid utf 1");
 
+        while (saved < ctx->saved + ctx->saved_len) {
+            *dst++ = *saved++;
+        }
+
     } else {
         dst = ngx_sprintf(dst, "&#%uD;", n);
     }


More information about the nginx-devel mailing list