Welcome! Log In Create A New Profile

Advanced

Re: Fix bug of n in function of ngx_utf8_length

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
April 12, 2019 12:44PM
Hello!

On Wed, Apr 10, 2019 at 07:56:26PM +0000, liu yunbin wrote:

> # HG changeset patch
> # User Yunbin Liu yunbinliu@outlook.com
> # Date 1554925873 -28800
> # Thu Apr 11 03:51:13 2019 +0800
> # Node ID 228b945cf5f8c30356fc5760f696e49545075f00
> # Parent a6e23e343081b79eb924da985a414909310aa7a3
> Fix bug of n in function of ngx_utf8_length
>
> diff -r a6e23e343081 -r 228b945cf5f8 src/core/ngx_string.c
> --- a/src/core/ngx_string.c Tue Apr 09 16:00:30 2019 +0300
> +++ b/src/core/ngx_string.c Thu Apr 11 03:51:13 2019 +0800
> @@ -1369,6 +1369,7 @@
> {
> u_char c, *last;
> size_t len;
> + u_char *current_point;
>
> last = p + n;
>
> @@ -1378,13 +1379,16 @@
>
> if (c < 0x80) {
> p++;
> + n--;
> continue;
> }
>
> + current_point = p;
> if (ngx_utf8_decode(&p, n) > 0x10ffff) {
> /* invalid UTF-8 */
> return n;
> }
> + n -= p - current_point;
> }
>
> return len;

Thanks for the report, this looks like a valid bug (though never
triggered with current code). A simplier patch should be
something like this:

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1555087201 -10800
# Fri Apr 12 19:40:01 2019 +0300
# Node ID 7c02edae85e317346d5cef2d9d10d6ce23ed432c
# Parent a6e23e343081b79eb924da985a414909310aa7a3
Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
continue;
}

- if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+ if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
/* invalid UTF-8 */
return n;
}


--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Fix bug of n in function of ngx_utf8_length

liu yunbin April 10, 2019 03:58PM

Re: Fix bug of n in function of ngx_utf8_length

Maxim Dounin April 12, 2019 12:44PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 279
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready