diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2025-02-27 18:42:06 +0400 |
|---|---|---|
| committer | pluknet <pluknet@nginx.com> | 2025-04-09 19:37:51 +0400 |
| commit | a813c639211728a1441945dee149b44a0935f48b (patch) | |
| tree | 2fbcd0c279f5fd84f697547c22e7702a90dffec5 | |
| parent | d31305653701bd99e8e5e6aa48094599a08f9f12 (diff) | |
| download | nginx-a813c639211728a1441945dee149b44a0935f48b.tar.gz nginx-a813c639211728a1441945dee149b44a0935f48b.zip | |
Charset filter: improved validation of charset_map with utf-8.
It was possible to write outside of the buffer used to keep UTF-8
decoded values when parsing conversion table configuration.
Since this happened before UTF-8 decoding, the fix is to check in
advance if character codes are of more than 3-byte sequence. Note
that this is already enforced by a later check for ngx_utf8_decode()
decoded values for 0xffff, which corresponds to the maximum value
encoded as a valid 3-byte sequence, so the fix does not affect the
valid values.
Found with AddressSanitizer.
Fixes GitHub issue #529.
| -rw-r--r-- | src/http/modules/ngx_http_charset_filter_module.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/http/modules/ngx_http_charset_filter_module.c b/src/http/modules/ngx_http_charset_filter_module.c index e52b96e9b..d44da6233 100644 --- a/src/http/modules/ngx_http_charset_filter_module.c +++ b/src/http/modules/ngx_http_charset_filter_module.c @@ -1332,6 +1332,12 @@ ngx_http_charset_map(ngx_conf_t *cf, ngx_command_t *dummy, void *conf) table = ctx->table; if (ctx->charset->utf8) { + if (value[1].len / 2 > NGX_UTF_LEN - 1) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid value \"%V\"", &value[1]); + return NGX_CONF_ERROR; + } + p = &table->src2dst[src * NGX_UTF_LEN]; *p++ = (u_char) (value[1].len / 2); |