diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2026-02-21 12:04:36 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arutyunyan.roman@gmail.com> | 2026-03-24 18:12:29 +0400 |
| commit | 7725c372c2fe11ff908b1d6138be219ad694c42f (patch) | |
| tree | c8f40e57a563b241db735ddb5ad7257523b78b42 /src | |
| parent | d787755d50c96b8f0fc1c5c2df62e8ea3bd9031f (diff) | |
| download | nginx-7725c372c2fe11ff908b1d6138be219ad694c42f.tar.gz nginx-7725c372c2fe11ff908b1d6138be219ad694c42f.tar.bz2 | |
Mp4: avoid zero size buffers in output.
Previously, data validation checks did not cover the cases when the output
contained empty buffers. Such buffers are considered illegal and produce
"zero size buf in output" alerts. The change rejects the mp4 files which
produce such alerts.
Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index 445fab1cd..173d8ad54 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) } } - if (end_offset < start_offset) { - end_offset = start_offset; + if (end_offset <= start_offset) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "no data between start time and end time in \"%s\"", + mp4->file.name.data); + return NGX_ERROR; } mp4->moov_size += 8; @@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) *prev = &mp4->mdat_atom; - if (start_offset > mp4->mdat_data.buf->file_last) { + if (start_offset >= mp4->mdat_data.buf->file_last) { ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, "start time is out mp4 mdat atom in \"%s\"", mp4->file.name.data); @@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4, if (data) { entries = trak->sample_sizes_entries; - if (trak->start_sample > entries) { + if (trak->start_sample >= entries) { ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, "start time is out mp4 stsz samples in \"%s\"", mp4->file.name.data); @@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4, return NGX_ERROR; } - if (trak->start_chunk > trak->chunks) { + if (trak->start_chunk >= trak->chunks) { ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, "start time is out mp4 stco chunks in \"%s\"", mp4->file.name.data); @@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4, return NGX_ERROR; } - if (trak->start_chunk > trak->chunks) { + if (trak->start_chunk >= trak->chunks) { ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, "start time is out mp4 co64 chunks in \"%s\"", mp4->file.name.data); |