From: Maxim Dounin <mdounin@mdounin.ru>
Date: Fri, 30 Oct 2015 18:43:30 +0000 (+0300)
Subject: Fixed ngx_parse_time() out of bounds access (ticket #821).
X-Git-Tag: release-1.8.1~9
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=d4cd59c17b003dfbc121e48473dd2604e76c7fdf;p=nginx.git

Fixed ngx_parse_time() out of bounds access (ticket #821).

The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.
---

diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
index d7350d423..7b60c5fb6 100644
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint_t is_sec)
             break;
 
         case 'm':
-            if (*p == 's') {
+            if (p < last && *p == 's') {
                 if (is_sec || step >= st_msec) {
                     return NGX_ERROR;
                 }