Welcome! Log In Create A New Profile

Advanced

[njs] Fixed integer-overflow in Date() constructor.

Previous Message Next Message
Forum List Message List New Topic Print View
Dmitry Volyntsev
March 02, 2020 06:52AM
details: https://hg.nginx.org/njs/rev/36208bd2362f
branches:
changeset: 1343:36208bd2362f
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Fri Feb 28 19:39:13 2020 +0300
description:
Fixed integer-overflow in Date() constructor.

Found by UndefinedBehaviorSanitizer.

diffstat:

src/njs_date.c | 17 +++++++++++------
src/test/njs_unit_test.c | 18 ++++++++++++++++++
2 files changed, 29 insertions(+), 6 deletions(-)

diffs (73 lines):

diff -r 3f094214cd64 -r 36208bd2362f src/njs_date.c
--- a/src/njs_date.c Fri Feb 28 18:56:24 2020 +0300
+++ b/src/njs_date.c Fri Feb 28 19:39:13 2020 +0300
@@ -118,14 +118,19 @@ njs_days_from_year(int64_t y)
}


-njs_inline int64_t
+njs_inline double
njs_make_day(int64_t yr, int64_t month, int64_t date)
{
- int64_t i, ym, mn, md, days;
+ double days;
+ int64_t i, ym, mn, md;

static const int month_days[] = { 31, 28, 31, 30, 31, 30,
31, 31, 30, 31, 30, 31 };

+ if (yr < -271822 || yr > 275761) {
+ return NAN;
+ }
+
mn = njs_mod(month, 12);
ym = yr + (month - mn) / 12;

@@ -228,15 +233,15 @@ njs_year_from_days(int64_t *days)
njs_inline double
njs_make_date(int64_t tm[], njs_bool_t local)
{
- int64_t days, time;
+ double time, days;

days = njs_make_day(tm[NJS_DATE_YR], tm[NJS_DATE_MON],
tm[NJS_DATE_DAY]);

- time = ((tm[NJS_DATE_HR] * 60 + tm[NJS_DATE_MIN]) * 60
- + tm[NJS_DATE_SEC]) * 1000 + tm[NJS_DATE_MSEC];
+ time = ((tm[NJS_DATE_HR] * 60.0 + tm[NJS_DATE_MIN]) * 60.0
+ + tm[NJS_DATE_SEC]) * 1000.0 + tm[NJS_DATE_MSEC];

- time += days * 86400000;
+ time += days * 86400000.0;

if (local) {
time += njs_tz_offset(time) * 60000;
diff -r 3f094214cd64 -r 36208bd2362f src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Fri Feb 28 18:56:24 2020 +0300
+++ b/src/test/njs_unit_test.c Fri Feb 28 19:39:13 2020 +0300
@@ -13270,6 +13270,24 @@ static njs_unit_test_t njs_test[] =
{ njs_str("new Date(8.65e15)"),
njs_str("Invalid Date") },

+ { njs_str("var d = new Date(1308895200000); new Date(d.getTime(), d.getTime())"),
+ njs_str("Invalid Date") },
+
+ { njs_str("new Date(275760, 1, 2**61)"),
+ njs_str("Invalid Date") },
+
+ { njs_str("new Date(275760, 1, 1, 2**61)"),
+ njs_str("Invalid Date") },
+
+ { njs_str("new Date(275760, 1, 1, 1, 2**61)"),
+ njs_str("Invalid Date") },
+
+ { njs_str("new Date(275760, 1, 1, 1, 1, 2**61)"),
+ njs_str("Invalid Date") },
+
+ { njs_str("new Date(275760, 1, 1, 1, 1, 1, 2**61)"),
+ njs_str("Invalid Date") },
+
{ njs_str("njs.dump([new Date(8.65e15)])"),
njs_str("[Invalid Date]") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[njs] Fixed integer-overflow in Date() constructor.

Dmitry Volyntsev 312 March 02, 2020 06:52AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 266
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready