[nginx] Core: overflow detection in ngx_parse_time() (ticket #732).

[Maxim Dounin]

details:   http://hg.nginx.org/nginx/rev/8ec0f199cc81
branches:  stable-1.6
changeset: 6085:8ec0f199cc81
user:      Ruslan Ermilov <ru at nginx.com>
date:      Tue Mar 17 00:26:20 2015 +0300
description:
Core: overflow detection in ngx_parse_time() (ticket #732).

diffstat:

 src/core/ngx_parse.c |  53 ++++++++++++++++++++++++++++++++++++---------------
 1 files changed, 37 insertions(+), 16 deletions(-)

diffs (161 lines):

diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -103,7 +103,8 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
 {
     u_char      *p, *last;
     ngx_int_t    value, total, scale;
-    ngx_uint_t   max, valid;
+    ngx_int_t    max, cutoff, cutlim;
+    ngx_uint_t   valid;
     enum {
         st_start = 0,
         st_year,
@@ -120,6 +121,8 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
     valid = 0;
     value = 0;
     total = 0;
+    cutoff = NGX_MAX_INT_T_VALUE / 10;
+    cutlim = NGX_MAX_INT_T_VALUE % 10;
     step = is_sec ? st_start : st_month;
 
     p = line->data;
@@ -128,6 +131,10 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
     while (p < last) {
 
         if (*p >= '0' && *p <= '9') {
+            if (value >= cutoff && (value > cutoff || *p - '0' > cutlim)) {
+                return NGX_ERROR;
+            }
+
             value = value * 10 + (*p++ - '0');
             valid = 1;
             continue;
@@ -140,7 +147,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_year;
-            max = NGX_MAX_INT32_VALUE / (60 * 60 * 24 * 365);
+            max = NGX_MAX_INT_T_VALUE / (60 * 60 * 24 * 365);
             scale = 60 * 60 * 24 * 365;
             break;
 
@@ -149,7 +156,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_month;
-            max = NGX_MAX_INT32_VALUE / (60 * 60 * 24 * 30);
+            max = NGX_MAX_INT_T_VALUE / (60 * 60 * 24 * 30);
             scale = 60 * 60 * 24 * 30;
             break;
 
@@ -158,7 +165,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_week;
-            max = NGX_MAX_INT32_VALUE / (60 * 60 * 24 * 7);
+            max = NGX_MAX_INT_T_VALUE / (60 * 60 * 24 * 7);
             scale = 60 * 60 * 24 * 7;
             break;
 
@@ -167,7 +174,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_day;
-            max = NGX_MAX_INT32_VALUE / (60 * 60 * 24);
+            max = NGX_MAX_INT_T_VALUE / (60 * 60 * 24);
             scale = 60 * 60 * 24;
             break;
 
@@ -176,7 +183,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_hour;
-            max = NGX_MAX_INT32_VALUE / (60 * 60);
+            max = NGX_MAX_INT_T_VALUE / (60 * 60);
             scale = 60 * 60;
             break;
 
@@ -187,7 +194,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 }
                 p++;
                 step = st_msec;
-                max = NGX_MAX_INT32_VALUE;
+                max = NGX_MAX_INT_T_VALUE;
                 scale = 1;
                 break;
             }
@@ -196,7 +203,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_min;
-            max = NGX_MAX_INT32_VALUE / 60;
+            max = NGX_MAX_INT_T_VALUE / 60;
             scale = 60;
             break;
 
@@ -205,7 +212,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_sec;
-            max = NGX_MAX_INT32_VALUE;
+            max = NGX_MAX_INT_T_VALUE;
             scale = 1;
             break;
 
@@ -214,7 +221,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
                 return NGX_ERROR;
             }
             step = st_last;
-            max = NGX_MAX_INT32_VALUE;
+            max = NGX_MAX_INT_T_VALUE;
             scale = 1;
             break;
 
@@ -227,16 +234,18 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
             max /= 1000;
         }
 
-        if ((ngx_uint_t) value > max) {
+        if (value > max) {
             return NGX_ERROR;
         }
 
-        total += value * scale;
+        value *= scale;
 
-        if ((ngx_uint_t) total > NGX_MAX_INT32_VALUE) {
+        if (total > NGX_MAX_INT_T_VALUE - value) {
             return NGX_ERROR;
         }
 
+        total += value;
+
         value = 0;
 
         while (p < last && *p == ' ') {
@@ -244,9 +253,21 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
         }
     }
 
-    if (valid) {
-        return total + value * (is_sec ? 1 : 1000);
+    if (!valid) {
+        return NGX_ERROR;
     }
 
-    return NGX_ERROR;
+    if (!is_sec) {
+        if (value > NGX_MAX_INT_T_VALUE / 1000) {
+            return NGX_ERROR;
+        }
+
+        value *= 1000;
+    }
+
+    if (total > NGX_MAX_INT_T_VALUE - value) {
+        return NGX_ERROR;
+    }
+
+    return total + value;
 }