Welcome! Log In Create A New Profile

Advanced

[nginx] Fixed incorrect length handling in ngx_utf8_length().

Maxim Dounin
April 15, 2019 02:42PM
details: https://hg.nginx.org/nginx/rev/a42a6dfeb01a
branches:
changeset: 7494:a42a6dfeb01a
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Apr 15 20:14:07 2019 +0300
description:
Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.

diffstat:

src/core/ngx_string.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diffs (12 lines):

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
continue;
}

- if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+ if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
/* invalid UTF-8 */
return n;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Fixed incorrect length handling in ngx_utf8_length().

Maxim Dounin 148 April 15, 2019 02:42PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 110
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready