diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2015-10-30 21:43:30 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2015-10-30 21:43:30 +0300 |
| commit | d4cd59c17b003dfbc121e48473dd2604e76c7fdf (patch) | |
| tree | 4769f196ba264fbae36a6ebb74817d2e3dfe7fc2 | |
| parent | 440759bd6622c3db4ebf3ad60b497f0eaec203dd (diff) | |
Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m". The bug manifested
itself when the expires directive was used with variables.
Found by Roman Arutyunyan.
| -rw-r--r-- | src/core/ngx_parse.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c index d7350d423..7b60c5fb6 100644 --- a/src/core/ngx_parse.c +++ b/src/core/ngx_parse.c @@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint_t is_sec) break; case 'm': - if (*p == 's') { + if (p < last && *p == 's') { if (is_sec || step >= st_msec) { return NGX_ERROR; } |