From f09eae2a7586c5149fe7eaa497c8ff1be684270f Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 15 Apr 2019 20:14:07 +0300
Subject: [PATCH] Fixed incorrect length handling in ngx_utf8_length().

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.
---
 src/core/ngx_string.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
index 04980f8c3..468e9600c 100644
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
             continue;
         }
 
-        if (ngx_utf8_decode(&p, n) > 0x10ffff) {
+        if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
             /* invalid UTF-8 */
             return n;
         }