[nginx] Charset: fixed handling of invalid UTF-8 characters.
Maxim Dounin
mdounin at mdounin.ru
Fri Jun 26 18:30:28 UTC 2026
details: http://freenginx.org/hg/nginx/rev/2fe98aa7ebc8
branches:
changeset: 9567:2fe98aa7ebc8
user: Maxim Dounin <mdounin at mdounin.ru>
date: Fri Jun 26 21:08:20 2026 +0300
description:
Charset: fixed handling of invalid UTF-8 characters.
Previously, if an invalid UTF-8 character was split between buffers,
ngx_decode_utf8() might return an error and a position within the bytes
saved from the first buffer, but the following code did not expect this
and might end up reading a byte before the second buffer
(CVE-2026-48142).
The fix is to copy bytes from ctx->saved directly, and only adjust src
for the bytes which are from the second buffer.
See also:
https://github.com/nginx/nginx/commit/319a0bff157b15d9061f4712b2edbe6fdd2dee66
diffstat:
src/http/modules/ngx_http_charset_filter_module.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diffs (14 lines):
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -865,6 +865,10 @@ ngx_http_charset_recode_from_utf8(ngx_po
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0,
"http charset invalid utf 1");
+ while (saved < ctx->saved + ctx->saved_len) {
+ *dst++ = *saved++;
+ }
+
} else {
dst = ngx_sprintf(dst, "&#%uD;", n);
}
More information about the nginx-devel
mailing list