details: https://github.com/nginx/nginx/commit/6ec099a3786f2ddbe007009d5526ff2ec9316d23
branches: master
commit: 6ec099a3786f2ddbe007009d5526ff2ec9316d23
user: Roman Arutyunyan <arut@nginx.com>
date: Mon, 23 Sep 2024 15:51:30 +0400
description:
Mp4: fixed handling an empty run of chunks in stsc atom.
A specially crafted mp4 file with an empty run of chunks in the stsc atom
and a large value for samples per chunk for that run, combined with a
specially crafted request, allowed to store that large value in prev_samples
and later in trak->end_chunk_samples while in ngx_http_mp4_crop_stsc_data().
Later in ngx_http_mp4_update_stsz_atom() this could result in buffer
overread while calculating trak->end_chunk_samples_size.
Now the value of samples per chunk specified for an empty run is ignored.
---
src/http/modules/ngx_http_mp4_module.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 041ad263b..2ca059136 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -3176,7 +3176,10 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
start_sample -= n;
- prev_samples = samples;
+ if (next_chunk > chunk) {
+ prev_samples = samples;
+ }
+
chunk = next_chunk;
samples = ngx_mp4_get_32value(entry->samples);
id = ngx_mp4_get_32value(entry->id);
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel