[nginx] Charset: improved charset_map parsing.
Maxim Dounin
mdounin at mdounin.ru
Tue May 19 02:46:31 UTC 2026
details: http://freenginx.org/hg/nginx/rev/88857e9af1fe
branches:
changeset: 9521:88857e9af1fe
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue May 19 01:56:31 2026 +0300
description:
Charset: improved charset_map parsing.
Previously, too long UTF-8 codes in charset_map resulted in writing
outside of the allocated src2dst buffer, potentially causing a
segmentation fault when parsing an invalid configuration.
Also, the "dst > 255" check is unnecessary when parsing exactly two hex
characters, and therefore was removed.
See also:
https://github.com/nginx/nginx/commit/a813c639211728a1441945dee149b44a0935f48b
diffstat:
src/http/modules/ngx_http_charset_filter_module.c | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diffs (22 lines):
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c
--- a/src/http/modules/ngx_http_charset_filter_module.c
+++ b/src/http/modules/ngx_http_charset_filter_module.c
@@ -1345,11 +1345,17 @@ ngx_http_charset_map(ngx_conf_t *cf, ngx
if (ctx->charset->utf8) {
p = &table->src2dst[src * NGX_UTF_LEN];
+ if (value[1].len / 2 > NGX_UTF_LEN - 1) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid value \"%V\"", &value[1]);
+ return NGX_CONF_ERROR;
+ }
+
*p++ = (u_char) (value[1].len / 2);
for (i = 0; i < value[1].len; i += 2) {
dst = ngx_hextoi(&value[1].data[i], 2);
- if (dst == NGX_ERROR || dst > 255) {
+ if (dst == NGX_ERROR) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"invalid value \"%V\"", &value[1]);
return NGX_CONF_ERROR;
More information about the nginx-devel
mailing list