[PATCH 05 of 10] Charset: improved charset_map parsing
Maxim Dounin
mdounin at mdounin.ru
Sun May 17 00:12:38 UTC 2026
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1778975841 -10800
# Sun May 17 02:57:21 2026 +0300
# Node ID fa0584dce8b52ec59233714a695cc5966b9a16da
# Parent 7dca2cab958f44f580af78bef97bc0037032d7f4
Charset: improved charset_map parsing.
Previously, too long UTF-8 codes in charset_map resulted in writing
outside of the allocated src2dst buffer, potentially causing a
segmentation fault when parsing an invalid configuration.
Also, the "dst > 255" check is unnecessary when parsing exactly two hex
characters, and therefore was removed.
See also:
https://github.com/nginx/nginx/commit/a813c639211728a1441945dee149b44a0935f48b
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -1345,11 +1345,17 @@ ngx_http_charset_map(ngx_conf_t *cf, ngx
if (ctx->charset->utf8) {
p = &table->src2dst[src * NGX_UTF_LEN];
+ if (value[1].len / 2 > NGX_UTF_LEN - 1) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid value \"%V\"", &value[1]);
+ return NGX_CONF_ERROR;
+ }
+
*p++ = (u_char) (value[1].len / 2);
for (i = 0; i < value[1].len; i += 2) {
dst = ngx_hextoi(&value[1].data[i], 2);
- if (dst == NGX_ERROR || dst > 255) {
+ if (dst == NGX_ERROR) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"invalid value \"%V\"", &value[1]);
return NGX_CONF_ERROR;
More information about the nginx-devel
mailing list