mirror of
https://github.com/nginx/nginx.git
synced 2024-12-03 21:18:59 +08:00
Mp4: fixed possible pointer overflow on 32-bit platforms.
On 32-bit platforms mp4->buffer_pos might overflow when a large enough (close to 4 gigabytes) atom is being skipped, resulting in incorrect memory addesses being read further in the code. In most cases this results in harmless errors being logged, though may also result in a segmentation fault if hitting unmapped pages. To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos up to mp4->buffer_end. This ensures that overflow cannot happen.
This commit is contained in:
parent
04618d00e0
commit
58b5516129
@ -169,7 +169,14 @@ typedef struct {
|
||||
|
||||
|
||||
#define ngx_mp4_atom_next(mp4, n) \
|
||||
mp4->buffer_pos += (size_t) n; \
|
||||
\
|
||||
if (n > (size_t) (mp4->buffer_end - mp4->buffer_pos)) { \
|
||||
mp4->buffer_pos = mp4->buffer_end; \
|
||||
\
|
||||
} else { \
|
||||
mp4->buffer_pos += (size_t) n; \
|
||||
} \
|
||||
\
|
||||
mp4->offset += n
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user