Mercurial > hg > nginx

changeset 6344:a8ecb0a2193f stable-1.8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed ngx_parse_time() out of bounds access (ticket #821). The code failed to ensure that "s" is within the buffer passed for parsing when checking for "ms", and this resulted in unexpected errors when parsing non-null-terminated strings with trailing "m". The bug manifested itself when the expires directive was used with variables. Found by Roman Arutyunyan.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 30 Oct 2015 21:43:30 +0300
parents 60ae75969588
children 5ae5142d39a3
files src/core/ngx_parse.c
diffstat 1 files changed, 1 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
             break;
 
         case 'm':
-            if (*p == 's') {
+            if (p < last && *p == 's') {
                 if (is_sec || step >= st_msec) {
                     return NGX_ERROR;
                 }