[njs] Fixed integer overflow in Date.parse().
noreply at nginx.com
noreply at nginx.com
Mon Jun 10 22:57:04 UTC 2024
details: https://hg.nginx.org/njs/rev/ae4f50f7b7b3
branches:
changeset: 2355:ae4f50f7b7b3
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Fri Jun 07 22:58:53 2024 -0700
description:
Fixed integer overflow in Date.parse().
Found by OSS-Fuzz and UndefinedSanitizer.
diffstat:
src/njs_date.c | 13 ++++++-------
src/test/njs_unit_test.c | 6 ++++++
2 files changed, 12 insertions(+), 7 deletions(-)
diffs (47 lines):
diff -r 81ff15b57343 -r ae4f50f7b7b3 src/njs_date.c
--- a/src/njs_date.c Fri Jun 07 21:46:30 2024 -0700
+++ b/src/njs_date.c Fri Jun 07 22:58:53 2024 -0700
@@ -676,8 +676,10 @@ njs_date_string_parse(njs_value_t *date)
}
}
- p = njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end, ms_length);
- if (njs_slow_path(p == NULL)) {
+ if (njs_slow_path(njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end,
+ njs_min(ms_length, 3))
+ == NULL))
+ {
return NAN;
}
@@ -686,12 +688,9 @@ njs_date_string_parse(njs_value_t *date)
} else if (ms_length == 2) {
tm[NJS_DATE_MSEC] *= 10;
+ }
- } else if (ms_length >= 4) {
- for (ms_length -= 3; ms_length > 0; ms_length--) {
- tm[NJS_DATE_MSEC] /= 10;
- }
- }
+ p += ms_length;
if (p < end) {
utc_off = njs_date_utc_offset_parse(p, end);
diff -r 81ff15b57343 -r ae4f50f7b7b3 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Fri Jun 07 21:46:30 2024 -0700
+++ b/src/test/njs_unit_test.c Fri Jun 07 22:58:53 2024 -0700
@@ -16285,6 +16285,12 @@ static njs_unit_test_t njs_test[] =
{ njs_str("Date.parse('2011-06-24T06:01:02.6255555Z')"),
njs_str("1308895262625") },
+ { njs_str("Date.parse('2011-06-24T06:01:02.625555555Z')"),
+ njs_str("1308895262625") },
+
+ { njs_str("Date.parse('2011-06-24T06:01:02.62555555599999Z')"),
+ njs_str("1308895262625") },
+
{ njs_str("Date.parse('2011-06-24T06:01:02.625555Z5')"),
njs_str("NaN") },
More information about the nginx-devel
mailing list