diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2018-11-06 16:29:18 +0300 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2018-11-06 16:29:18 +0300 |
| commit | 9cd9526ba68a3dcfc763a3f7693ccb4f48e855fb (patch) | |
| tree | 4880e4702511729b6706e93162b82567578767c7 /src/http/modules/ngx_http_mp4_module.c | |
| parent | b66ee453cc6bc1832c3f056c9a46240bd390617c (diff) | |
| download | nginx-9cd9526ba68a3dcfc763a3f7693ccb4f48e855fb.tar.gz nginx-9cd9526ba68a3dcfc763a3f7693ccb4f48e855fb.tar.bz2 | |
Mp4: fixed reading 64-bit atoms.
Previously there was no validation for the size of a 64-bit atom
in an mp4 file. This could lead to a CPU hog when the size is 0,
or various other problems due to integer underflow when calculating
atom data size, including segmentation fault or worker process
memory disclosure.
Diffstat (limited to 'src/http/modules/ngx_http_mp4_module.c')
| -rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index 08a68d07b..2a6fafa04 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -942,6 +942,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file_t *mp4, atom_size = ngx_mp4_get_64value(atom_header + 8); atom_header_size = sizeof(ngx_mp4_atom_header64_t); + if (atom_size < sizeof(ngx_mp4_atom_header64_t)) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 atom is too small:%uL", + mp4->file.name.data, atom_size); + return NGX_ERROR; + } + } else { ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, "\"%s\" mp4 atom is too small:%uL", |