mirror
/
nginx
mirror of https://github.com/nginx/nginx
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Core: fixed overflow in ngx_palloc_small() with alignment. 

The original comparison "(size_t) (p->d.end - m) >= size" could produce
incorrect results when alignment is enabled. If ngx_align_ptr() moves m
beyond p->d.end, the subtraction yields a negative value that wraps to
a large unsigned integer due to the size_t cast, causing the check to
pass incorrectly. This would return an invalid pointer beyond the pool
boundary and corrupt p->d.last.

Reordering prevents unsigned wraparound and correctly validates that
the aligned pointer m has sufficient space remaining in the pool block.
This commit is contained in:
Alexander Sorokin 2025-11-19 14:43:04 +03:00
parent 6ed1188411
commit 9dd81a8966
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/ngx_palloc.c
View File

@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size, ngx_uint_t align)
m = ngx_align_ptr(m, NGX_ALIGNMENT);
}
if ((size_t) (p->d.end - m) >= size) {
if (p->d.end - size >= m) {
p->d.last = m + size;
return m;