Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with incorrect length, potentially resulting in out-of-bounds read when handling invalid UTF-8 strings. In practice out-of-bounds reads are not possible though, as autoindex, the only user of ngx_utf8_length(), provides null-terminated strings, and ngx_utf8_decode() anyway returns an errors when it sees a null in the middle of an UTF-8 sequence. Reported by Yunbin Liu.
2025-06-11 04:12:40 +08:00 · 2019-04-15 20:14:07 +03:00 · 2019-04-15 20:14:07 +03:00 · f09eae2a75
commit f09eae2a75
parent 5784889fb9
1 changed files with 1 additions and 1 deletions
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
            continue;
        }

-        if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+        if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
            /* invalid UTF-8 */
            return n;
        }