mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-11-23 20:19:02 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Mp4: fixed handling an empty run of chunks in stsc atom.

Browse Source 
A specially crafted mp4 file with an empty run of chunks in the stsc atom
and a large value for samples per chunk for that run, combined with a
specially crafted request, allowed to store that large value in prev_samples
and later in trak->end_chunk_samples while in ngx_http_mp4_crop_stsc_data().
Later in ngx_http_mp4_update_stsz_atom() this could result in buffer
overread while calculating trak->end_chunk_samples_size.

Now the value of samples per chunk specified for an empty run is ignored.
This commit is contained in:
Roman Arutyunyan 2024-09-23 15:51:30 +04:00 committed by Roman Arutyunyan
parent cb1857407b
commit 6ec099a378
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/http/modules/ngx_http_mp4_module.c
View File

@ -3176,7 +3176,10 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
start_sample -= n; start_sample -= n;
prev_samples = samples; if (next_chunk > chunk) {
prev_samples = samples;
}
chunk = next_chunk; chunk = next_chunk;
samples = ngx_mp4_get_32value(entry->samples); samples = ngx_mp4_get_32value(entry->samples);
id = ngx_mp4_get_32value(entry->id); id = ngx_mp4_get_32value(entry->id);