Mercurial > hg > nginx
comparison src/core/ngx_parse.c @ 6287:4ccb37b04454
Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m". The bug manifested
itself when the expires directive was used with variables.
Found by Roman Arutyunyan.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 30 Oct 2015 21:43:30 +0300 |
parents | 429a8c65f0a7 |
children | 87cf6ddb41c2 |
comparison
equal
deleted
inserted
replaced
6286:a6a2016b8e31 | 6287:4ccb37b04454 |
---|---|
186 max = NGX_MAX_INT_T_VALUE / (60 * 60); | 186 max = NGX_MAX_INT_T_VALUE / (60 * 60); |
187 scale = 60 * 60; | 187 scale = 60 * 60; |
188 break; | 188 break; |
189 | 189 |
190 case 'm': | 190 case 'm': |
191 if (*p == 's') { | 191 if (p < last && *p == 's') { |
192 if (is_sec || step >= st_msec) { | 192 if (is_sec || step >= st_msec) { |
193 return NGX_ERROR; | 193 return NGX_ERROR; |
194 } | 194 } |
195 p++; | 195 p++; |
196 step = st_msec; | 196 step = st_msec; |