Fixed ngx_parse_time() out of bounds access (ticket #821).

The code failed to ensure that "s" is within the buffer passed for parsing when checking for "ms", and this resulted in unexpected errors when parsing non-null-terminated strings with trailing "m". The bug manifested itself when the expires directive was used with variables. Found by Roman Arutyunyan.
2015-10-30 21:43:30 +03:00 · 2015-10-30 21:43:30 +03:00 · f38b4d5a56
parent fe6e13e579
commit f38b4d5a56
1 changed files with 1 additions and 1 deletions
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint_t is_sec)
            break;

        case 'm':
-            if (*p == 's') {
+            if (p < last && *p == 's') {
                if (is_sec || step >= st_msec) {
                    return NGX_ERROR;
                }