nginx WebDAV: heap-buffer-overflow in COPY/MOVE with alias directive

ngx_http_dav_module handles WebDAV PUT/DELETE/MKCOL/COPY/MOVE. For COPY and MOVE it constructs the destination filesystem path from the request's Destination: header. When the matched location uses alias /some/dir/; (rather than root) and a prefix that doesn't match the URI segment 1:1, the length calculation that sizes the destination string buffer underestimates by the alias substitution offset. The destination filename is then written past the end of a heap allocation in the nginx worker process — a heap-buffer-overflow write reachable unauthenticated on any nginx host that turns on dav_methods under such a location.

The reachable side effects depend on what the overflow corrupts:

• denial-of-service via worker crash and respawn loop;
• in some configurations, arbitrary file write at controllable paths (the F5 advisory rates impact "I:L A:H");
• possible escalation to RCE via worker-heap corruption (not guaranteed, depends on allocator state).