[PATCH 03 of 10] Charset: fixed handling of incomplete UTF-8 characters

[Maxim Dounin]

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1778974119 -10800
#      Sun May 17 02:28:39 2026 +0300
# Node ID 52d992b6a7d5e79107616f948fed273a69fb7d53
# Parent  071c2e847b986bb7b133ff42c26f9aa2f55b102b
Charset: fixed handling of incomplete UTF-8 characters.

Previously, if a UTF-8 character was split across multiple buffers, the
second and subsequent buffers were handled incorrectly: ngx_decode_utf8()
was called with the wrong size if there are fewer bytes in the buffer
than ctx->saved can hold, the following code called ngx_memcpy() with
the wrong size, potentially reading past the supplied buffer, and
ctx->saved_len was set to an incorrect value, which could later result
in reading before the buffer (CVE-2026-42934).

The fix is to adjust the code to make sure that the "i" value properly
represents the number of bytes available in ctx->saved in all cases,
remove the unneeded ngx_memcpy() call, and set ctx->saved_len to the
correct value.

See also:
https://github.com/nginx/nginx/commit/696a7f1b9198d576e6a59c1655b746fbf06561cf

diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -788,8 +788,8 @@ ngx_http_charset_recode_from_utf8(ngx_po
 
     p = src;
 
-    for (i = ctx->saved_len; i < NGX_UTF_LEN; i++) {
-        ctx->saved[i] = *p++;
+    for (i = ctx->saved_len; i < NGX_UTF_LEN; /* void */) {
+        ctx->saved[i++] = *p++;
 
         if (p == buf->last) {
             break;
@@ -826,8 +826,7 @@ ngx_http_charset_recode_from_utf8(ngx_po
             b->sync = 1;
             b->shadow = buf;
 
-            ngx_memcpy(&ctx->saved[ctx->saved_len], src, i);
-            ctx->saved_len += i;
+            ctx->saved_len = i;
 
             return out;
         }