diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2018-11-21 20:23:16 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2018-11-21 20:23:16 +0300 |
| commit | 58b551612935acfa48bd65777ea6a18336a7e5bf (patch) | |
| tree | 718cc6fd9a2c41ae0871337e2d4abfdc20b9ce25 | |
| parent | 04618d00e0775b78ca3349da54366d7bcb4d1774 (diff) | |
| download | nginx-58b551612935acfa48bd65777ea6a18336a7e5bf.tar.gz nginx-58b551612935acfa48bd65777ea6a18336a7e5bf.tar.bz2 | |
Mp4: fixed possible pointer overflow on 32-bit platforms.
On 32-bit platforms mp4->buffer_pos might overflow when a large
enough (close to 4 gigabytes) atom is being skipped, resulting in
incorrect memory addesses being read further in the code. In most
cases this results in harmless errors being logged, though may also
result in a segmentation fault if hitting unmapped pages.
To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos
up to mp4->buffer_end. This ensures that overflow cannot happen.
| -rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index 2a6fafa04..618bf787b 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -169,7 +169,14 @@ typedef struct { #define ngx_mp4_atom_next(mp4, n) \ - mp4->buffer_pos += (size_t) n; \ + \ + if (n > (size_t) (mp4->buffer_end - mp4->buffer_pos)) { \ + mp4->buffer_pos = mp4->buffer_end; \ + \ + } else { \ + mp4->buffer_pos += (size_t) n; \ + } \ + \ mp4->offset += n |