# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1446230610 -10800
# Node ID a8ecb0a2193f1ae8d2c6d9e0b8caec945363017c
# Parent  60ae7596958804ddb6cb6411017254252ccc2aeb
Fixed ngx_parse_time() out of bounds access (ticket #821).

The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.

diff -r 60ae75969588 -r a8ecb0a2193f src/core/ngx_parse.c
--- a/src/core/ngx_parse.c	Mon Oct 19 21:22:38 2015 +0300
+++ b/src/core/ngx_parse.c	Fri Oct 30 21:43:30 2015 +0300
@@ -188,7 +188,7 @@
             break;
 
         case 'm':
-            if (*p == 's') {
+            if (p < last && *p == 's') {
                 if (is_sec || step >= st_msec) {
                     return NGX_ERROR;
                 }