From 5ab25988c13a2fc5a970b72ab6fdf636a2980533 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Fri, 7 Jun 2024 22:58:53 -0700 Subject: [PATCH] Fixed integer overflow in Date.parse(). Found by OSS-Fuzz and UndefinedSanitizer. --- src/njs_date.c | 13 ++++++------- src/test/njs_unit_test.c | 6 ++++++ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/njs_date.c b/src/njs_date.c index 49ac3fc09..cd10abd57 100644 --- a/src/njs_date.c +++ b/src/njs_date.c @@ -676,8 +676,10 @@ njs_date_string_parse(njs_value_t *date) } } - p = njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end, ms_length); - if (njs_slow_path(p == NULL)) { + if (njs_slow_path(njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end, + njs_min(ms_length, 3)) + == NULL)) + { return NAN; } @@ -686,13 +688,10 @@ njs_date_string_parse(njs_value_t *date) } else if (ms_length == 2) { tm[NJS_DATE_MSEC] *= 10; - - } else if (ms_length >= 4) { - for (ms_length -= 3; ms_length > 0; ms_length--) { - tm[NJS_DATE_MSEC] /= 10; - } } + p += ms_length; + if (p < end) { utc_off = njs_date_utc_offset_parse(p, end); if (njs_slow_path(utc_off == -1)) { diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c index c4b23c1dd..130fad825 100644 --- a/src/test/njs_unit_test.c +++ b/src/test/njs_unit_test.c @@ -16285,6 +16285,12 @@ static njs_unit_test_t njs_test[] = { njs_str("Date.parse('2011-06-24T06:01:02.6255555Z')"), njs_str("1308895262625") }, + { njs_str("Date.parse('2011-06-24T06:01:02.625555555Z')"), + njs_str("1308895262625") }, + + { njs_str("Date.parse('2011-06-24T06:01:02.62555555599999Z')"), + njs_str("1308895262625") }, + { njs_str("Date.parse('2011-06-24T06:01:02.625555Z5')"), njs_str("NaN") },