details: https://hg.nginx.org/nginx/rev/f32027d744ba
branches:
changeset: 9277:f32027d744ba
user: Roman Arutyunyan <a...@nginx.com>
date: Mon Aug 12 18:20:45 2024 +0400
description:
Mp4: rejecting unordered chunks in stsc atom.
Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom()
this caused buffer overread while trying to calculate trak->end_offset.
diffstat:
src/http/modules/ngx_http_mp4_module.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diffs (17 lines):
diff -r f88c253ac8b3 -r f32027d744ba src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c Mon Aug 12 18:20:43 2024 +0400
+++ b/src/http/modules/ngx_http_mp4_module.c Mon Aug 12 18:20:45 2024 +0400
@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
next_chunk = ngx_mp4_get_32value(entry->chunk);
+ if (next_chunk < chunk) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "unordered mp4 stsc chunks in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
"sample:%uD, chunk:%uD, chunks:%uD, "
"samples:%uD, id:%uD",
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
