Mp4: rejecting unordered chunks in stsc atom.

Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() this caused buffer overread while trying to calculate trak->end_offset.
author: Roman Arutyunyan <arut@nginx.com> 2024-08-12 18:20:45 +0400
committer: Roman Arutyunyan <arut@nginx.com> 2024-08-12 18:20:45 +0400
commit: 2262362fd31eee3e74eb6abe4451ad6ab51e3643 (patch)
tree: 082e8e68365c52d8cf52579f2300b1da6839a5d1
parent: 3dc0fba5adec4c033eed76976f7275f2af7d5ddd (diff)
download: nginx-2262362fd31eee3e74eb6abe4451ad6ab51e3643.tar.gz
nginx-2262362fd31eee3e74eb6abe4451ad6ab51e3643.tar.bz2
1 files changed, 7 insertions, 0 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 1cd017c27..041ad263b 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
 
         next_chunk = ngx_mp4_get_32value(entry->chunk);
 
+        if (next_chunk < chunk) {
+            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                          "unordered mp4 stsc chunks in \"%s\"",
+                          mp4->file.name.data);
+            return NGX_ERROR;
+        }
+
         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
                        "sample:%uD, chunk:%uD, chunks:%uD, "
                        "samples:%uD, id:%uD",
author	Roman Arutyunyan <arut@nginx.com>	2024-08-12 18:20:45 +0400
committer	Roman Arutyunyan <arut@nginx.com>	2024-08-12 18:20:45 +0400
commit	2262362fd31eee3e74eb6abe4451ad6ab51e3643 (patch)
tree	082e8e68365c52d8cf52579f2300b1da6839a5d1
parent	3dc0fba5adec4c033eed76976f7275f2af7d5ddd (diff)
download	nginx-2262362fd31eee3e74eb6abe4451ad6ab51e3643.tar.gz nginx-2262362fd31eee3e74eb6abe4451ad6ab51e3643.tar.bz2