diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2018-11-21 20:23:16 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2018-11-21 20:23:16 +0300 |
| commit | f5708e66c7187c2489a7d0b39918f6d0fe4c6645 (patch) | |
| tree | 786f8e45897d9afae68a09a0debb52d9a7ee4402 /src/http/modules/ngx_http_mp4_module.c | |
| parent | aedc37fb3e7fb4550c17c4ec7aed3d33c73aab43 (diff) | |
| download | nginx-f5708e66c7187c2489a7d0b39918f6d0fe4c6645.tar.gz nginx-f5708e66c7187c2489a7d0b39918f6d0fe4c6645.zip | |
Mp4: fixed possible pointer overflow on 32-bit platforms.
On 32-bit platforms mp4->buffer_pos might overflow when a large
enough (close to 4 gigabytes) atom is being skipped, resulting in
incorrect memory addesses being read further in the code. In most
cases this results in harmless errors being logged, though may also
result in a segmentation fault if hitting unmapped pages.
To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos
up to mp4->buffer_end. This ensures that overflow cannot happen.
Diffstat (limited to 'src/http/modules/ngx_http_mp4_module.c')
| -rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index 2a6fafa04..618bf787b 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -169,7 +169,14 @@ typedef struct { #define ngx_mp4_atom_next(mp4, n) \ - mp4->buffer_pos += (size_t) n; \ + \ + if (n > (size_t) (mp4->buffer_end - mp4->buffer_pos)) { \ + mp4->buffer_pos = mp4->buffer_end; \ + \ + } else { \ + mp4->buffer_pos += (size_t) n; \ + } \ + \ mp4->offset += n |