Fixed integer overflow in Date.parse().

Found by OSS-Fuzz and UndefinedSanitizer.
nginx · Jun 10, 2024 · 5ab2598 · 5ab2598
1 parent 9ade27b
commit 5ab2598
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 7 deletions.
diff --git a/src/njs_date.c b/src/njs_date.c
@@ -676,8 +676,10 @@ njs_date_string_parse(njs_value_t *date)
             }
         }
 
-        p = njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end, ms_length);
-        if (njs_slow_path(p == NULL)) {
+        if (njs_slow_path(njs_date_number_parse(&tm[NJS_DATE_MSEC], p, end,
+                                                njs_min(ms_length, 3))
+                          == NULL))
+        {
             return NAN;
         }
 
@@ -686,13 +688,10 @@ njs_date_string_parse(njs_value_t *date)
 
         } else if (ms_length == 2) {
             tm[NJS_DATE_MSEC] *= 10;
-
-        } else if (ms_length >= 4) {
-            for (ms_length -= 3; ms_length > 0; ms_length--) {
-                tm[NJS_DATE_MSEC] /= 10;
-            }
         }
 
+        p += ms_length;
+
         if (p < end) {
             utc_off = njs_date_utc_offset_parse(p, end);
             if (njs_slow_path(utc_off == -1)) {

diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
@@ -16285,6 +16285,12 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("Date.parse('2011-06-24T06:01:02.6255555Z')"),
       njs_str("1308895262625") },
 
+    { njs_str("Date.parse('2011-06-24T06:01:02.625555555Z')"),
+      njs_str("1308895262625") },
+
+    { njs_str("Date.parse('2011-06-24T06:01:02.62555555599999Z')"),
+      njs_str("1308895262625") },
+
     { njs_str("Date.parse('2011-06-24T06:01:02.625555Z5')"),
       njs_str("NaN") },