|
| 1 | +From 0482091e8a6b53ba14b4b8cae855063762aadbbc Mon Sep 17 00:00:00 2001 |
| 2 | +From: Sergey Kandaurov <pluknet@nginx.com> |
| 3 | +Date: Mon, 1 Jun 2026 21:46:48 +0400 |
| 4 | +Subject: [PATCH] Charset: fixed another rare buffer overread in |
| 5 | + recode_from_utf8() |
| 6 | + |
| 7 | +With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte |
| 8 | +overread on invalid UTF-8 sequences. The reason is ngx_utf8_decode() |
| 9 | +stops advancing the pointer position on the first encountered invalid |
| 10 | +byte. The fix is to adjust the advanced pointer up to the whole saved |
| 11 | +sequence in this case. Note that this may result in different output |
| 12 | +compared to complete invalid UTF-8 sequences, which we can disregard |
| 13 | +at this point. |
| 14 | + |
| 15 | +Reported by Han Yan of Xiaomi and p4p3r of CYBERONE. |
| 16 | + |
| 17 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 18 | +Upstream-reference: https://github.com/nginx/nginx/commit/60c4243eb8775d51662a01def8a7dad5d9fb34a7.patch |
| 19 | +--- |
| 20 | + src/http/modules/ngx_http_charset_filter_module.c | 4 ++++ |
| 21 | + 1 file changed, 4 insertions(+) |
| 22 | + |
| 23 | +diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c |
| 24 | +index edb2db5..e0115e1 100644 |
| 25 | +--- a/src/http/modules/ngx_http_charset_filter_module.c |
| 26 | ++++ b/src/http/modules/ngx_http_charset_filter_module.c |
| 27 | +@@ -855,6 +855,10 @@ ngx_http_charset_recode_from_utf8(ngx_pool_t *pool, ngx_buf_t *buf, |
| 28 | + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, pool->log, 0, |
| 29 | + "http charset invalid utf 1"); |
| 30 | + |
| 31 | ++ if (saved < &ctx->saved[ctx->saved_len]) { |
| 32 | ++ saved = &ctx->saved[ctx->saved_len]; |
| 33 | ++ } |
| 34 | ++ |
| 35 | + } else { |
| 36 | + dst = ngx_sprintf(dst, "&#%uD;", n); |
| 37 | + } |
| 38 | +-- |
| 39 | +2.45.4 |
| 40 | + |
0 commit comments