Commit f5708e66c7187c2489a7d0b39918f6d0fe4c6645 - nginx

Mp4: fixed possible pointer overflow on 32-bit platforms. On 32-bit platforms mp4->buffer_pos might overflow when a large enough (close to 4 gigabytes) atom is being skipped, resulting in incorrect memory addesses being read further in the code. In most cases this results in harmless errors being logged, though may also result in a segmentation fault if hitting unmapped pages. To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos up to mp4->buffer_end. This ensures that overflow cannot happen. Maxim Dounin 3 years ago

1 changed file(s) with 8 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all

-1

src/http/modules/ngx_http_mp4_module.c less more

168	168
169	169
170	170	#define ngx_mp4_atom_next(mp4, n) \
171		mp4->buffer_pos += (size_t) n; \
	171	\
	172	if (n > (size_t) (mp4->buffer_end - mp4->buffer_pos)) { \
	173	mp4->buffer_pos = mp4->buffer_end; \
	174	\
	175	} else { \
	176	mp4->buffer_pos += (size_t) n; \
	177	} \
	178	\
172	179	mp4->offset += n
173	180
174	181