Welcome! Log In Create A New Profile


[nginx] Fixed incorrect length handling in ngx_utf8_length().

Maxim Dounin
April 15, 2019 02:42PM
details: https://hg.nginx.org/nginx/rev/a42a6dfeb01a
changeset: 7494:a42a6dfeb01a
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Apr 15 20:14:07 2019 +0300
Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.


src/core/ngx_string.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diffs (12 lines):

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)

- if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+ if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
/* invalid UTF-8 */
return n;
nginx-devel mailing list
Subject Author Views Posted

[nginx] Fixed incorrect length handling in ngx_utf8_length().

Maxim Dounin 219 April 15, 2019 02:42PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 77
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready