{
  "original_root_cause": "In ngx_http_dav_copy_move_handler(), the Destination header URI (duri) is temporarily assigned to r->uri before calling ngx_http_map_uri_to_path(). Inside ngx_http_map_uri_to_path(), the buffer size is computed as clcf->root.len + reserved + r->uri.len - alias + 1 using unsigned size_t arithmetic. When duri.len < clcf->alias, the subtraction underflows, causing a near-zero heap allocation followed by a massive out-of-bounds write in memcpy.",
  "variant_root_cause": "All tested alternate triggers reach the exact same underflow in ngx_http_map_uri_to_path() via the same code path (ngx_http_dav_copy_move_handler). The only difference is the location configuration (prefix vs exact-match vs nested vs script alias) or the HTTP method (COPY vs MOVE) or the encoding of the Destination header. None represent a different root cause.",
  "equivalence_confidence": "high",
  "same_sink": true,
  "same_underflow_condition": true,
  "same_function": "ngx_http_map_uri_to_path",
  "same_file": "src/http/ngx_http_core_module.c",
  "same_line": 1987,
  "notes": "The exact-match location variant produced size=-4 (alias=7, duri=3) while the prefix location produced size=-5 (alias=7, duri=2). The script alias and nested variants produced size=-5. These are all manifestations of the identical arithmetic underflow with different numerical offsets."
}