id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
141	Nginx 1.1.18 Crash (off by one bug) -> Windows	Benjamin Johnson	somebody	"Windows 7
Repeatable
Many Nginx versions, I reproduced it with Nginx 1.0.X (I believe several versions had this issue including 1.0.14, although I didn't do analysis), and from compiled source 1.1.18.

In src/os/win32/ngx_shmem.c, ngx_alloc does not account for the %Z (terminating \0).  I was getting relatively frequent crashes on simple requests.


Index: src/os/win32/ngx_shmem.c
===================================================================
--- src/os/win32/ngx_shmem.c	(revision 4568)
+++ src/os/win32/ngx_shmem.c	(working copy)
@@ -15,7 +15,7 @@
     u_char    *name;
     uint64_t   size;
 
-    name = ngx_alloc(shm->name.len + 2 + sizeof(NGX_INT32_LEN), shm->log);
+    name = ngx_alloc(shm->name.len + 2 + sizeof(NGX_INT32_LEN) + 1, shm->log);
     if (name == NULL) {
         return NGX_ERROR;
     }

"	defect	closed	critical		nginx-core	1.1.x	duplicate			windows 7 64-bit	1.1.18