git.kaiwu.me - nginx.git/commit

author	David Korczynski <david@adalogics.com>
	Wed, 4 Mar 2026 09:27:45 +0000 (01:27 -0800)
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>
	Mon, 6 Apr 2026 10:07:18 +0000 (14:07 +0400)
commit	06c30ec29d392af00157c0b0eecbc545b330e50f
tree	4a572969d8388447403e303e9a265183867b8879	tree \| snapshot
parent	2ff1a969f3040f27ac2610e9840a4e802bcc39cc	commit \| diff

Upstream: fix integer underflow in charset parsing

The issue described below was only reproducible prior to
https://github.com/nginx/nginx/commit/7924a4ec6cb35291ea60a5f2a70ac0a034d94ff7

When parsing the `charset` parameter in the `Content-Type` header within
`ngx_http_upstream_copy_content_type`, an input such as `charset="`
resulted in an integer underflow.

In this scenario, both `p` and `last` point to the position immediately
following the opening quote. The logic to strip a trailing quote checked
`*(last - 1)` without verifying that `last > p`. This caused `last` to
be decremented to point to the opening quote itself, making `last < p`.

The subsequent length calculation `r->headers_out.charset.len = last - p`
resulted in -1, which wrapped to `SIZE_MAX` as `len` is a `size_t`. This
invalid length was later passed to `ngx_cpymem` in `ngx_http_header_filter`,
leading to an out-of-bounds memory access (detected as
`negative-size-param` by AddressSanitizer).

The fix ensures `last > p` before attempting to strip a trailing quote,
correctly resulting in a zero-length charset for malformed input.

The oss-fuzz payload that triggers this issue holds multiple 103 status
lines, and it's a sequence of 2 of those Content-Type headers that
trigger the ASAN report.

Co-authored-by: CodeMender <codemender-patching@google.com>
Fixes: https://issues.oss-fuzz.com/issues/486561029
Signed-off-by: David Korczynski <david@adalogics.com>