Potential null dereference in ngx_time.c

Open leeriorio opened this issue 1 year ago • 3 comments

In results of static analyze of nginx sources I founded potential null dereference

https://github.com/nginx/nginx/blob/00637cce366f17b78fe1ed5c1ef0e534143045f6/src/os/unix/ngx_time.c#L48-L50

localtime() function potentially can return NULL value, which will dereference in strftime(). How about to add check for this case?

Sep 12 '24 12:09 leeriorio

According to glibc source, this can only happen if there's an overflow in the year field: year - 1900 is out of 32-bit. While it makes no sense, this should be fixed anyway. Thanks for finding this,

Sep 12 '24 16:09 arut