From 2b502468588835e479fcd76a2cc0d00394f2c32c Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Fri, 14 Nov 2025 18:14:18 +0400 Subject: [PATCH] HTTP/2: extended guard for NULL buffer and zero length. In addition to moving memcpy() under the length condition in 15bf6d8cc, which addressed a reported UB due to string function conventions, this is repeated for advancing an input buffer, to make the resulting code more clean and readable. Additionally, although considered harmless for both string functions and additive operators, as previously discussed in GitHub PR 866, this fixes the main source of annoying sanitizer reports in the module. Prodded by UndefinedBehaviorSanitizer (pointer-overflow). --- src/http/v2/ngx_http_v2.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index dba4477d5..b2eef3699 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -4102,15 +4102,14 @@ ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos, n = size; } - if (n > 0) { - rb->buf->last = ngx_cpymem(rb->buf->last, pos, n); - } - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0, "http2 request body recv %uz", n); - pos += n; - size -= n; + if (n > 0) { + rb->buf->last = ngx_cpymem(rb->buf->last, pos, n); + pos += n; + size -= n; + } if (size == 0 && last) { rb->rest = 0; -- 2.47.3