mirror of
https://github.com/nginx/nginx.git
synced 2024-12-04 22:09:01 +08:00
Mp4: fixed possible pointer overflow on 32-bit platforms.
On 32-bit platforms mp4->buffer_pos might overflow when a large enough (close to 4 gigabytes) atom is being skipped, resulting in incorrect memory addesses being read further in the code. In most cases this results in harmless errors being logged, though may also result in a segmentation fault if hitting unmapped pages. To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos up to mp4->buffer_end. This ensures that overflow cannot happen.
This commit is contained in:
parent
04618d00e0
commit
58b5516129
@ -169,7 +169,14 @@ typedef struct {
|
|||||||
|
|
||||||
|
|
||||||
#define ngx_mp4_atom_next(mp4, n) \
|
#define ngx_mp4_atom_next(mp4, n) \
|
||||||
|
\
|
||||||
|
if (n > (size_t) (mp4->buffer_end - mp4->buffer_pos)) { \
|
||||||
|
mp4->buffer_pos = mp4->buffer_end; \
|
||||||
|
\
|
||||||
|
} else { \
|
||||||
mp4->buffer_pos += (size_t) n; \
|
mp4->buffer_pos += (size_t) n; \
|
||||||
|
} \
|
||||||
|
\
|
||||||
mp4->offset += n
|
mp4->offset += n
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user