diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2024-10-02 16:22:15 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arutyunyan.roman@gmail.com> | 2024-11-21 16:08:48 +0400 |
| commit | d1a02451c3c5767b5d0f23e138db98a9f7801335 (patch) | |
| tree | 4b6218d4215307d82b1f3ea57a495811669da38e | |
| parent | 6ec099a3786f2ddbe007009d5526ff2ec9316d23 (diff) | |
| download | nginx-d1a02451c3c5767b5d0f23e138db98a9f7801335.tar.gz nginx-d1a02451c3c5767b5d0f23e138db98a9f7801335.zip | |
Mp4: unordered stsc chunks error for the final chunk.
Currently an error is triggered if any of the chunk runs in stsc are
unordered. This however does not include the final chunk run, which
ends with trak->chunks + 1. The previous chunk index can be larger
leading to a 32-bit overflow. This could allow to skip the validity
check "if (start_sample > n)". This could later lead to a large
trak->start_chunk/trak->end_chunk, which would be caught later in
ngx_http_mp4_update_stco_atom() or ngx_http_mp4_update_co64_atom().
While there are no implications of the validity check being avoided,
the change still adds a check to ensure the final chunk run is ordered,
to produce a meaningful error and avoid a potential integer overflow.
| -rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index 2ca059136..49b0999cf 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -3189,6 +3189,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, next_chunk = trak->chunks + 1; + if (next_chunk < chunk) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "unordered mp4 stsc chunks in \"%s\"", + mp4->file.name.data); + return NGX_ERROR; + } + ngx_log_debug4(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", start_sample, chunk, next_chunk - chunk, samples); |