Klaus Demo nginx / 58b5516
Mp4: fixed possible pointer overflow on 32-bit platforms. On 32-bit platforms mp4->buffer_pos might overflow when a large enough (close to 4 gigabytes) atom is being skipped, resulting in incorrect memory addesses being read further in the code. In most cases this results in harmless errors being logged, though may also result in a segmentation fault if hitting unmapped pages. To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos up to mp4->buffer_end. This ensures that overflow cannot happen. Maxim Dounin 2 years ago
1 changed file(s) with 8 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all
168168
169169
170170 #define ngx_mp4_atom_next(mp4, n) \
171 mp4->buffer_pos += (size_t) n; \
171 \
172 if (n > (size_t) (mp4->buffer_end - mp4->buffer_pos)) { \
173 mp4->buffer_pos = mp4->buffer_end; \
174 \
175 } else { \
176 mp4->buffer_pos += (size_t) n; \
177 } \
178 \
172179 mp4->offset += n
173180
174181