From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 15 Apr 2019 17:14:07 +0000 (+0300)
Subject: Fixed incorrect length handling in ngx_utf8_length().
X-Git-Tag: release-1.15.12~2
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=f09eae2a7586c5149fe7eaa497c8ff1be684270f;p=nginx.git

Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.
---

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
index 04980f8c3..468e9600c 100644
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
             continue;
         }
 
-        if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+        if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
             /* invalid UTF-8 */
             return n;
         }