git.kaiwu.me - nginx.git/commit

author	Roman Arutyunyan <arut@nginx.com>
	Wed, 26 Feb 2020 12:10:46 +0000 (15:10 +0300)
committer	Roman Arutyunyan <arut@nginx.com>
	Wed, 26 Feb 2020 12:10:46 +0000 (15:10 +0300)
commit	ba27037a498ed3839648d7a4097b01ed14949f18
tree	72edddf6dca00b7140af26d48d41668d9398bf8e	tree \| snapshot
parent	f909a7dc331621a8638ea46056e437b8be1496da	commit \| diff

Mp4: fixed possible chunk offset overflow.

In "co64" atom chunk start offset is a 64-bit unsigned integer.  When trimming
the "mdat" atom, chunk offsets are casted to off_t values which are typically
64-bit signed integers.  A specially crafted mp4 file with huge chunk offsets
may lead to off_t overflow and result in negative trim boundaries.

The consequences of the overflow are:
- Incorrect Content-Length header value in the response.
- Negative left boundary of the response file buffer holding the trimmed "mdat".
  This leads to pread()/sendfile() errors followed by closing the client
  connection.

On rare systems where off_t is a 32-bit integer, this scenario is also feasible
with the "stco" atom.

The fix is to add checks which make sure data chunks referenced by each track
are within the mp4 file boundaries.  Additionally a few more checks are added to
ensure mp4 file consistency and log errors.