Mercurial > hg > nginx
comparison src/core/ngx_parse.c @ 6287:4ccb37b04454
Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m". The bug manifested
itself when the expires directive was used with variables.
Found by Roman Arutyunyan.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Fri, 30 Oct 2015 21:43:30 +0300 |
| parents | 429a8c65f0a7 |
| children | 87cf6ddb41c2 |
comparison
equal
deleted
inserted
replaced
| 6286:a6a2016b8e31 | 6287:4ccb37b04454 |
|---|---|
| 186 max = NGX_MAX_INT_T_VALUE / (60 * 60); | 186 max = NGX_MAX_INT_T_VALUE / (60 * 60); |
| 187 scale = 60 * 60; | 187 scale = 60 * 60; |
| 188 break; | 188 break; |
| 189 | 189 |
| 190 case 'm': | 190 case 'm': |
| 191 if (*p == 's') { | 191 if (p < last && *p == 's') { |
| 192 if (is_sec || step >= st_msec) { | 192 if (is_sec || step >= st_msec) { |
| 193 return NGX_ERROR; | 193 return NGX_ERROR; |
| 194 } | 194 } |
| 195 p++; | 195 p++; |
| 196 step = st_msec; | 196 step = st_msec; |