Welcome! Log In Create A New Profile

Advanced

[njs] Fixed integer overflow in Date.parse().

Anonymous User
June 10, 2024 06:58PM
details: https://hg.nginx.org/njs/rev/ae4f50f7b7b3
branches:
changeset: 2355:ae4f50f7b7b3
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Fri Jun 07 22:58:53 2024 -0700
description:
Fixed integer overflow in Date.parse().

Found by OSS-Fuzz and UndefinedSanitizer.

diffstat:

src/njs_date.c | 13 ++++++-------
src/test/njs_unit_test.c | 6 ++++++
2 files changed, 12 insertions(+), 7 deletions(-)

diffs (47 lines):

diff -r 81ff15b57343 -r ae4f50f7b7b3 src/njs_date.c
--- a/src/njs_date.c Fri Jun 07 21:46:30 2024 -0700
+++ b/src/njs_date.c Fri Jun 07 22:58:53 2024 -0700
@@ -676,8 +676,10 @@ njs_date_string_parse(njs_value_t *date)
}
}

- p = njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end, ms_length);
- if (njs_slow_path(p == NULL)) {
+ if (njs_slow_path(njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end,
+ njs_min(ms_length, 3))
+ == NULL))
+ {
return NAN;
}

@@ -686,12 +688,9 @@ njs_date_string_parse(njs_value_t *date)

} else if (ms_length == 2) {
tm[NJS_DATE_MSEC] *= 10;
+ }

- } else if (ms_length >= 4) {
- for (ms_length -= 3; ms_length > 0; ms_length--) {
- tm[NJS_DATE_MSEC] /= 10;
- }
- }
+ p += ms_length;

if (p < end) {
utc_off = njs_date_utc_offset_parse(p, end);
diff -r 81ff15b57343 -r ae4f50f7b7b3 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Fri Jun 07 21:46:30 2024 -0700
+++ b/src/test/njs_unit_test.c Fri Jun 07 22:58:53 2024 -0700
@@ -16285,6 +16285,12 @@ static njs_unit_test_t njs_test[] =
{ njs_str("Date.parse('2011-06-24T06:01:02.6255555Z')"),
njs_str("1308895262625") },

+ { njs_str("Date.parse('2011-06-24T06:01:02.625555555Z')"),
+ njs_str("1308895262625") },
+
+ { njs_str("Date.parse('2011-06-24T06:01:02.62555555599999Z')"),
+ njs_str("1308895262625") },
+
{ njs_str("Date.parse('2011-06-24T06:01:02.625555Z5')"),
njs_str("NaN") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed integer overflow in Date.parse().

Anonymous User 182 June 10, 2024 06:58PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 206
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready