[nginx] Charset: fixed handling of incomplete UTF-8 characters.
Maxim Dounin
mdounin at mdounin.ru
Tue May 19 02:46:30 UTC 2026
details: http://freenginx.org/hg/nginx/rev/5ebb2a99ad8d
branches:
changeset: 9519:5ebb2a99ad8d
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue May 19 01:56:27 2026 +0300
description:
Charset: fixed handling of incomplete UTF-8 characters.
Previously, if a UTF-8 character was split across multiple buffers, the
second and subsequent buffers were handled incorrectly: ngx_decode_utf8()
was called with the wrong size if there are fewer bytes in the buffer
than ctx->saved can hold, the following code called ngx_memcpy() with
the wrong size, potentially reading past the supplied buffer, and
ctx->saved_len was set to an incorrect value, which could later result
in reading before the buffer (CVE-2026-42934).
The fix is to adjust the code to make sure that the "i" value properly
represents the number of bytes available in ctx->saved in all cases,
remove the unneeded ngx_memcpy() call, and set ctx->saved_len to the
correct value.
See also:
https://github.com/nginx/nginx/commit/696a7f1b9198d576e6a59c1655b746fbf06561cf
diffstat:
src/http/modules/ngx_http_charset_filter_module.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
diffs (24 lines):
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -788,8 +788,8 @@ ngx_http_charset_recode_from_utf8(ngx_po
p = src;
- for (i = ctx->saved_len; i < NGX_UTF_LEN; i++) {
- ctx->saved[i] = *p++;
+ for (i = ctx->saved_len; i < NGX_UTF_LEN; /* void */) {
+ ctx->saved[i++] = *p++;
if (p == buf->last) {
break;
@@ -826,8 +826,7 @@ ngx_http_charset_recode_from_utf8(ngx_po
b->sync = 1;
b->shadow = buf;
- ngx_memcpy(&ctx->saved[ctx->saved_len], src, i);
- ctx->saved_len += i;
+ ctx->saved_len = i;
return out;
}
More information about the nginx-devel
mailing list