nginx.git, branch release-1.26.2 nginx nginx-1.26.2-RELEASE 2024-08-12T14:25:45+00:00 Sergey Kandaurov pluknet@nginx.com 2024-08-12T14:25:45+00:00 37fe98355461d2f03d73e6a8e82ac4e4cd85d711 






Updated OpenSSL used for win32 builds.
2024-08-12T14:20:49+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-08-12T14:20:49+00:00

6da478eacdf77653b138ce6f6317091981ef237d












Mp4: rejecting unordered chunks in stsc atom.
2024-08-12T14:20:45+00:00

Roman Arutyunyan
arut@nginx.com

2024-08-12T14:20:45+00:00

2262362fd31eee3e74eb6abe4451ad6ab51e3643

Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
in ngx_http_mp4_crop_stsc_data().  Later in ngx_http_mp4_update_stco_atom()
this caused buffer overread while trying to calculate trak->end_offset.





Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
in ngx_http_mp4_crop_stsc_data().  Later in ngx_http_mp4_update_stco_atom()
this caused buffer overread while trying to calculate trak->end_offset.







Mp4: fixed buffer underread while updating stsz atom.
2024-08-12T14:20:43+00:00

Roman Arutyunyan
arut@nginx.com

2024-08-12T14:20:43+00:00

3dc0fba5adec4c033eed76976f7275f2af7d5ddd

While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
overflow could happen, which could result in incorrect seeking and a very large
value stored in "samples".  This resulted in a large invalid value of
trak->end_chunk_samples.  This value is further used to calculate the value of
trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom().  While doing
this, a large invalid value of trak->end_chunk_samples could result in reading
memory before stsz atom start.  This could potentially result in a segfault.





While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
overflow could happen, which could result in incorrect seeking and a very large
value stored in "samples".  This resulted in a large invalid value of
trak->end_chunk_samples.  This value is further used to calculate the value of
trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom().  While doing
this, a large invalid value of trak->end_chunk_samples could result in reading
memory before stsz atom start.  This could potentially result in a segfault.







Typo fixed.
2024-08-09T15:12:23+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-08-09T15:12:23+00:00

e1daadc3883ad94e0c450ad46e8f11ad5539dcfc












Version bump.
2024-08-12T14:21:52+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-08-12T14:21:52+00:00

ddd5b9c5318d00b17f4d01bb3be1839f39fa6db0












release-1.26.1 tag
2024-05-28T13:28:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-05-28T13:28:07+00:00

46222c0ab3d7540202305d930b151ce1f780a6fb












nginx-1.26.1-RELEASE
2024-05-28T13:26:54+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-05-28T13:26:54+00:00

02725ce722bc7b34fa307d611eac3956ef744efa












HTTP/3: fixed handling of zero-length literal field line.
2024-05-28T13:20:45+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-05-28T13:20:45+00:00

ffed470390784524800ca38dd415c2d71442c6c2

Previously, st->value was passed with NULL data pointer to header handlers.





Previously, st->value was passed with NULL data pointer to header handlers.







QUIC: ngx_quic_buffer_t use-after-free protection.
2024-05-28T13:19:21+00:00

Roman Arutyunyan
arut@nginx.com

2024-05-28T13:19:21+00:00

0e7702e06655e3b439be8fbcd57bc91539912c2f

Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer().  While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.





Previously the last chain field of ngx_quic_buffer_t could still reference freed
chains and buffers after calling ngx_quic_free_buffer().  While normally an
ngx_quic_buffer_t object should not be used after freeing, resetting last_chain
field would prevent a potential use-after-free.