nginx.git/src/http/modules, branch release-1.28.3 nginx Dav: destination length validation for COPY and MOVE. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-03-16T16:13:03+00:00 a1d18284e0a173c4ef2b28425535d0f640ae0a82 Previously, when alias was used in a location with Dav COPY or MOVE enabled, and the destination URI was shorter than the alias, integer underflow could happen in ngx_http_map_uri_to_path(), which could result in heap buffer overwrite, followed by a possible segfault. With some implementations of memcpy(), the segfault could be avoided and the overwrite could result in a change of the source or destination file names to be outside of the location root. Reported by Calif.io in collaboration with Claude and Anthropic Research. 
Previously, when alias was used in a location with Dav COPY or MOVE
enabled, and the destination URI was shorter than the alias, integer
underflow could happen in ngx_http_map_uri_to_path(), which could
result in heap buffer overwrite, followed by a possible segfault.
With some implementations of memcpy(), the segfault could be avoided
and the overwrite could result in a change of the source or destination
file names to be outside of the location root.

Reported by Calif.io in collaboration with Claude and Anthropic Research.
Mp4: fixed possible integer overflow on 32-bit platforms. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-03-02T17:12:34+00:00 b23ac73b00313d159a99636c21ef71b828781018 Previously, a 32-bit overflow could happen while validating atom entries count. This allowed processing of an invalid atom with entrires beyond its boundaries with reads and writes outside of the allocated mp4 buffer. Reported by Prabhav Srinath (sprabhav7). 
Previously, a 32-bit overflow could happen while validating atom entries
count.  This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.

Reported by Prabhav Srinath (sprabhav7).
Mp4: avoid zero size buffers in output. 2026-03-24T18:33:23+00:00 Roman Arutyunyan arut@nginx.com 2026-02-21T08:04:36+00:00 a172c880cb51f882a5dc999437e8b3a4f87630cc Previously, data validation checks did not cover the cases when the output contained empty buffers. Such buffers are considered illegal and produce "zero size buf in output" alerts. The change rejects the mp4 files which produce such alerts. Also, the change fixes possible buffer overread and overwrite that could happen while processing empty stco and co64 atoms, as reported by Pavel Kohout (Aisle Research) and Tim Becker. 
Previously, data validation checks did not cover the cases when the output
contained empty buffers.  Such buffers are considered illegal and produce
"zero size buf in output" alerts.  The change rejects the mp4 files which
produce such alerts.

Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
Mp4: validate sync sample values in stss atom. 2026-03-24T18:33:23+00:00 CodeByMoriarty czyrabriones4@gmail.com 2026-02-23T00:45:47+00:00 4f0df130ba72982d34984f38d5007898765716b8 Per ISO 14496-12 Section 8.6.2, sync sample numbers must be 1-based. A zero-valued stss entry caused ngx_http_mp4_seek_key_frame() to return a key_prefix exceeding the samples consumed in the forward stts pass, which led the backward loop in ngx_http_mp4_crop_stts_data() to walk past the beginning of the stts data buffer. The fix validates each stss entry in ngx_http_mp4_seek_key_frame() and returns an error if a zero sync sample is encountered. The function signature is changed to return ngx_int_t so it can signal errors to the caller. 
Per ISO 14496-12 Section 8.6.2, sync sample numbers must be 1-based.
A zero-valued stss entry caused ngx_http_mp4_seek_key_frame() to
return a key_prefix exceeding the samples consumed in the forward
stts pass, which led the backward loop in ngx_http_mp4_crop_stts_data()
to walk past the beginning of the stts data buffer.

The fix validates each stss entry in ngx_http_mp4_seek_key_frame()
and returns an error if a zero sync sample is encountered.  The
function signature is changed to return ngx_int_t so it can signal
errors to the caller.
Proxy: fixed segfault in URI change. 2025-12-23T18:40:33+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-24T11:57:09+00:00 eec047c936347bb1ebb6266a4c83f31fa9c78e24 If request URI was shorter than location prefix, as after replacement with try_files, location length was used to copy the remaining URI part leading to buffer overread. The fix is to replace full request URI in this case. In the following configuration, request "/123" is changed to "/" when sent to backend. location /1234 { try_files /123 =404; proxy_pass http://127.0.0.1:8080/; } Closes #983 on GitHub. 
If request URI was shorter than location prefix, as after replacement
with try_files, location length was used to copy the remaining URI part
leading to buffer overread.

The fix is to replace full request URI in this case.  In the following
configuration, request "/123" is changed to "/" when sent to backend.

    location /1234 {
        try_files /123 =404;
        proxy_pass http://127.0.0.1:8080/;
    }

Closes #983 on GitHub.
OCSP: fixed invalid type for the 'ssl_ocsp' directive. 2025-12-23T18:40:33+00:00 Roman Semenov r.semenov@f5.com 2025-10-22T18:24:27+00:00 366b5c65ad4b520525865f19bf74e4ee69ca15df 






Fixed inaccurate index directive error report.
2025-12-23T18:40:33+00:00

willmafh
willmafh@hotmail.com

2025-09-08T14:03:30+00:00

ffad76677c1a3a96b0daed4dd4df0bd9e9e6aa65












Auth basic: fixed file descriptor leak on memory allocation error.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-08-08T15:44:27+00:00

95b81d1c2080ca826267b593a4434151064bed4e

Found by Coverity (CID 1662016).





Found by Coverity (CID 1662016).







Use NULL instead of 0 for null pointer constant.
2025-12-23T18:40:33+00:00

Andrew Clayton
a.clayton@nginx.com

2025-05-21T21:30:20+00:00

a39be5d9d296b72091f3181eea58303ac8d0828f

There were a few random places where 0 was being used as a null pointer
constant.

We have a NULL macro for this very purpose, use it.

There is also some interest in actually deprecating the use of 0 as a
null pointer constant in C.

This was found with -Wzero-as-null-pointer-constant which was enabled
for C in GCC 15 (not enabled with Wall or Wextra... yet).

Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059>





There were a few random places where 0 was being used as a null pointer
constant.

We have a NULL macro for this very purpose, use it.

There is also some interest in actually deprecating the use of 0 as a
null pointer constant in C.

This was found with -Wzero-as-null-pointer-constant which was enabled
for C in GCC 15 (not enabled with Wall or Wextra... yet).

Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059>







Use NGX_CONF_OK in some function return checks.
2025-12-23T18:40:33+00:00

Andrew Clayton
a.clayton@nginx.com

2025-05-21T21:19:32+00:00

36744831036cc4f68b32f02d1cd1bd33352bd298

The functions ngx_http_merge_types() & ngx_conf_merge_path_value()
return either NGX_CONF_OK aka NULL aka ((void *)0) (probably) or
NGX_CONF_ERROR aka ((void *)-1).

They don't return an integer constant which is what NGX_OK aka (0) is.

Lets use the right thing in the function return check.

This was found with -Wzero-as-null-pointer-constant which was enabled
for C in GCC 15 (not enabled with Wall or Wextra... yet).

Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059>





The functions ngx_http_merge_types() & ngx_conf_merge_path_value()
return either NGX_CONF_OK aka NULL aka ((void *)0) (probably) or
NGX_CONF_ERROR aka ((void *)-1).

They don't return an integer constant which is what NGX_OK aka (0) is.

Lets use the right thing in the function return check.

This was found with -Wzero-as-null-pointer-constant which was enabled
for C in GCC 15 (not enabled with Wall or Wextra... yet).

Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059>