diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2024-09-23 15:51:30 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arutyunyan.roman@gmail.com> | 2024-11-21 16:08:48 +0400 |
| commit | 6ec099a3786f2ddbe007009d5526ff2ec9316d23 (patch) | |
| tree | 9414252ea150320a0be09c6926c25fdbcdd4f418 /src | |
| parent | cb1857407bec54804191cfc5ac8173df44f0c661 (diff) | |
| download | nginx-6ec099a3786f2ddbe007009d5526ff2ec9316d23.tar.gz nginx-6ec099a3786f2ddbe007009d5526ff2ec9316d23.zip | |
Mp4: fixed handling an empty run of chunks in stsc atom.
A specially crafted mp4 file with an empty run of chunks in the stsc atom
and a large value for samples per chunk for that run, combined with a
specially crafted request, allowed to store that large value in prev_samples
and later in trak->end_chunk_samples while in ngx_http_mp4_crop_stsc_data().
Later in ngx_http_mp4_update_stsz_atom() this could result in buffer
overread while calculating trak->end_chunk_samples_size.
Now the value of samples per chunk specified for an empty run is ignored.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index 041ad263b..2ca059136 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -3176,7 +3176,10 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, start_sample -= n; - prev_samples = samples; + if (next_chunk > chunk) { + prev_samples = samples; + } + chunk = next_chunk; samples = ngx_mp4_get_32value(entry->samples); id = ngx_mp4_get_32value(entry->id); |