From 9dd81a89661f33e0bacda84b1419dc8aaba8abfe Mon Sep 17 00:00:00 2001 From: Alexander Sorokin Date: Wed, 19 Nov 2025 14:43:04 +0300 Subject: [PATCH] Core: fixed overflow in ngx_palloc_small() with alignment. The original comparison "(size_t) (p->d.end - m) >= size" could produce incorrect results when alignment is enabled. If ngx_align_ptr() moves m beyond p->d.end, the subtraction yields a negative value that wraps to a large unsigned integer due to the size_t cast, causing the check to pass incorrectly. This would return an invalid pointer beyond the pool boundary and corrupt p->d.last. Reordering prevents unsigned wraparound and correctly validates that the aligned pointer m has sufficient space remaining in the pool block. --- src/core/ngx_palloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/ngx_palloc.c b/src/core/ngx_palloc.c index d3044ac9c..016dc3f78 100644 --- a/src/core/ngx_palloc.c +++ b/src/core/ngx_palloc.c @@ -160,7 +160,7 @@ ngx_palloc_small(ngx_pool_t *pool, size_t size, ngx_uint_t align) m = ngx_align_ptr(m, NGX_ALIGNMENT); } - if ((size_t) (p->d.end - m) >= size) { + if (p->d.end - size >= m) { p->d.last = m + size; return m;