diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2015-10-30 21:43:30 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2015-10-30 21:43:30 +0300 |
| commit | f9cce38e497577449f1a29017d177ca753491885 (patch) | |
| tree | c3c3ef6aae2ead19684511c011be677779c3bc59 /src/core/ngx_parse.c | |
| parent | e7d298f3fc79785d22a1227b3c140529a6356fff (diff) | |
| download | nginx-f9cce38e497577449f1a29017d177ca753491885.tar.gz nginx-f9cce38e497577449f1a29017d177ca753491885.zip | |
Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m". The bug manifested
itself when the expires directive was used with variables.
Found by Roman Arutyunyan.
Diffstat (limited to 'src/core/ngx_parse.c')
| -rw-r--r-- | src/core/ngx_parse.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c index d7350d423..7b60c5fb6 100644 --- a/src/core/ngx_parse.c +++ b/src/core/ngx_parse.c @@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint_t is_sec) break; case 'm': - if (*p == 's') { + if (p < last && *p == 's') { if (is_sec || step >= st_msec) { return NGX_ERROR; } |