mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-12 13:42:55 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fixed incorrect length handling in ngx_utf8_length().

Browse Source 
Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.
This commit is contained in:
Maxim Dounin 2019-04-15 20:14:07 +03:00
parent 5784889fb9
commit f09eae2a75
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/ngx_string.c
View File

@ -1381,7 +1381,7 @@ ngx_utf8_length(u_char *p, size_t n)
continue; continue;
} }
if (ngx_utf8_decode(&p, n) > 0x10ffff) { if (ngx_utf8_decode(&p, last - p) > 0x10ffff) {
/* invalid UTF-8 */ /* invalid UTF-8 */
return n; return n;
} }