Mp4: rejecting unordered chunks in stsc atom.

Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() this caused buffer overread while trying to calculate trak->end_offset.
author: Roman Arutyunyan <arut@nginx.com> 2024-08-12 18:20:45 +0400
committer: Roman Arutyunyan <arut@nginx.com> 2024-08-12 18:20:45 +0400
commit: 88955b1044ef38315b77ad1a509d63631a790a0f (patch)
tree: 7c6ac680df46e5f70bb235c213868c6e4832be22 /src
parent: 7362d01658b61184108c21278443910da68f93b4 (diff)
download: nginx-88955b1044ef38315b77ad1a509d63631a790a0f.tar.gz
nginx-88955b1044ef38315b77ad1a509d63631a790a0f.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 1cd017c27..041ad263b 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
 
         next_chunk = ngx_mp4_get_32value(entry->chunk);
 
+        if (next_chunk < chunk) {
+            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                          "unordered mp4 stsc chunks in \"%s\"",
+                          mp4->file.name.data);
+            return NGX_ERROR;
+        }
+
         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
                        "sample:%uD, chunk:%uD, chunks:%uD, "
                        "samples:%uD, id:%uD",
author	Roman Arutyunyan <arut@nginx.com>	2024-08-12 18:20:45 +0400
committer	Roman Arutyunyan <arut@nginx.com>	2024-08-12 18:20:45 +0400
commit	88955b1044ef38315b77ad1a509d63631a790a0f (patch)
tree	7c6ac680df46e5f70bb235c213868c6e4832be22 /src
parent	7362d01658b61184108c21278443910da68f93b4 (diff)
download	nginx-88955b1044ef38315b77ad1a509d63631a790a0f.tar.gz nginx-88955b1044ef38315b77ad1a509d63631a790a0f.zip