diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2024-08-12 18:20:43 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2024-08-12 18:20:43 +0400 |
| commit | 3dc0fba5adec4c033eed76976f7275f2af7d5ddd (patch) | |
| tree | de65c44639aa78a3a61a23382db0edc460134010 /src/os/unix/ngx_alloc.h | |
| parent | e1daadc3883ad94e0c450ad46e8f11ad5539dcfc (diff) | |
| download | nginx-3dc0fba5adec4c033eed76976f7275f2af7d5ddd.tar.gz nginx-3dc0fba5adec4c033eed76976f7275f2af7d5ddd.tar.bz2 | |
Mp4: fixed buffer underread while updating stsz atom.
While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
overflow could happen, which could result in incorrect seeking and a very large
value stored in "samples". This resulted in a large invalid value of
trak->end_chunk_samples. This value is further used to calculate the value of
trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing
this, a large invalid value of trak->end_chunk_samples could result in reading
memory before stsz atom start. This could potentially result in a segfault.
Diffstat (limited to 'src/os/unix/ngx_alloc.h')
0 files changed, 0 insertions, 0 deletions