From 898daba1d6646eaa942870296f1c9fefde3560c2 Mon Sep 17 00:00:00 2001
From: Maks <cnegbyj99@yandex.ru>
Date: Thu, 20 Nov 2025 13:24:53 +0300
Subject: [PATCH] Core: skip unset modules in ngx_count_modules()

During reload, modules removed from config retain ctx_index ==
NGX_MODULE_UNSET_INDEX in old_cycle. Because NGX_MODULE_UNSET_INDEX
equals (ngx_uint_t)-1, the condition "if (module->ctx_index > max)"
evaluates to true, and max is assigned this large value.
The subsequent "max + 1" wraps around to 0 due to unsigned integer
overflow, causing zero-sized allocations and a segfault in stream
module initialization.

Skip such modules to prevent overflow.
The issue was introduced in commit 97f59dda0 ("Dynamic modules.").
---
 src/core/ngx_module.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/core/ngx_module.c b/src/core/ngx_module.c
index 3e3c50683..bd36f1601 100644
--- a/src/core/ngx_module.c
+++ b/src/core/ngx_module.c
@@ -139,6 +139,10 @@ ngx_count_modules(ngx_cycle_t *cycle, ngx_uint_t type)
                 continue;
             }
 
+            if (module->ctx_index == NGX_MODULE_UNSET_INDEX) {
+                continue;
+            }
+
             if (module->ctx_index > max) {
                 max = module->ctx_index;
             }