forked from rpms/nginx
Resolves: RHEL-84477 - nginx: specially crafted MP4 file may cause
denial of service (CVE-2024-7347)
This commit is contained in:
Luboš Uhliarik
parent
9a55e6d8d0
commit
72c0c46290
56
0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
Normal file
56
0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From b7e3c8bcfbee27061efdd40ffb3a8479a9bcd9c8 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
|
||||
Date: Fri, 21 Mar 2025 04:12:14 +0100
|
||||
Subject: [PATCH] CVE-2024-7347: Buffer overread in the mp4 module
|
||||
|
||||
---
|
||||
src/http/modules/ngx_http_mp4_module.c | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
|
||||
index 0e93fbd..a6e3e80 100644
|
||||
--- a/src/http/modules/ngx_http_mp4_module.c
|
||||
+++ b/src/http/modules/ngx_http_mp4_module.c
|
||||
@@ -2789,7 +2789,8 @@ static ngx_int_t
|
||||
ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||
ngx_http_mp4_trak_t *trak, ngx_uint_t start)
|
||||
{
|
||||
- uint32_t start_sample, chunk, samples, id, next_chunk, n,
|
||||
+ uint64_t n;
|
||||
+ uint32_t start_sample, chunk, samples, id, next_chunk,
|
||||
prev_samples;
|
||||
ngx_buf_t *data, *buf;
|
||||
ngx_uint_t entries, target_chunk, chunk_samples;
|
||||
@@ -2845,12 +2846,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||
|
||||
next_chunk = ngx_mp4_get_32value(entry->chunk);
|
||||
|
||||
+ if (next_chunk < chunk) {
|
||||
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
+ "unordered mp4 stsc chunks in \"%s\"",
|
||||
+ mp4->file.name.data);
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
|
||||
"sample:%uD, chunk:%uD, chunks:%uD, "
|
||||
"samples:%uD, id:%uD",
|
||||
start_sample, chunk, next_chunk - chunk, samples, id);
|
||||
|
||||
- n = (next_chunk - chunk) * samples;
|
||||
+ n = (uint64_t) (next_chunk - chunk) * samples;
|
||||
|
||||
if (start_sample < n) {
|
||||
goto found;
|
||||
@@ -2872,7 +2880,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||
"sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
|
||||
start_sample, chunk, next_chunk - chunk, samples);
|
||||
|
||||
- n = (next_chunk - chunk) * samples;
|
||||
+ n = (uint64_t) (next_chunk - chunk) * samples;
|
||||
|
||||
if (start_sample > n) {
|
||||
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
--
|
||||
2.44.0
|
||||
|
||||
@ -111,6 +111,9 @@ Patch11: 0011-SSL-use-of-the-SSL_OP_IGNORE_UNEXPECTED_EOF-option.patch
|
||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=2141495
|
||||
Patch12: 0012-CVE-2022-41741-and-CVE-2022-41742-fix.patch
|
||||
|
||||
# upstream patch - https://bugzilla.redhat.com/show_bug.cgi?id=2304966
|
||||
Patch13: 0013-CVE-2024-7347-Buffer-overread-in-the-mp4-module.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
BuildRequires: gnupg2
|
||||
@ -621,6 +624,8 @@ fi
|
||||
|
||||
%changelog
|
||||
* Wed May 14 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-24
|
||||
- Resolves: RHEL-84477 - nginx: specially crafted MP4 file may cause
|
||||
denial of service (CVE-2024-7347)
|
||||
- Resolves: RHEL-85556 - nginx: Memory disclosure in the
|
||||
ngx_http_mp4_module (CVE-2022-41742)
|
||||
- Resolves: RHEL-91446 - nginx: Memory corruption in the
|
||||
|
||||
Loading…
Reference in New Issue
Block a user