From 480fdc39f9f540d24311bddb0a36e55d2bf695ff Mon Sep 17 00:00:00 2001 From: pdancak Date: Fri, 10 Apr 2026 14:00:46 +0200 Subject: [PATCH] RHEL-157876 CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files Resolves: RHEL-157876 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED --- ...p4-avoid-zero-size-buffers-in-output.patch | 74 +++++++++++++++++++ nginx.spec | 4 + 2 files changed, 78 insertions(+) create mode 100644 0011-Mp4-avoid-zero-size-buffers-in-output.patch diff --git a/0011-Mp4-avoid-zero-size-buffers-in-output.patch b/0011-Mp4-avoid-zero-size-buffers-in-output.patch new file mode 100644 index 0000000..f4edbf9 --- /dev/null +++ b/0011-Mp4-avoid-zero-size-buffers-in-output.patch @@ -0,0 +1,74 @@ +From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan +Date: Sat, 21 Feb 2026 12:04:36 +0400 +Subject: [PATCH] Mp4: avoid zero size buffers in output. + +Previously, data validation checks did not cover the cases when the output +contained empty buffers. Such buffers are considered illegal and produce +"zero size buf in output" alerts. The change rejects the mp4 files which +produce such alerts. + +Also, the change fixes possible buffer overread and overwrite that could +happen while processing empty stco and co64 atoms, as reported by +Pavel Kohout (Aisle Research) and Tim Becker. +--- + src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c +index 445fab1cd..173d8ad54 100644 +--- a/src/http/modules/ngx_http_mp4_module.c ++++ b/src/http/modules/ngx_http_mp4_module.c +@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + } + } + +- if (end_offset < start_offset) { +- end_offset = start_offset; ++ if (end_offset <= start_offset) { ++ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, ++ "no data between start time and end time in \"%s\"", ++ mp4->file.name.data); ++ return NGX_ERROR; + } + + mp4->moov_size += 8; +@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4) + + *prev = &mp4->mdat_atom; + +- if (start_offset > mp4->mdat_data.buf->file_last) { ++ if (start_offset >= mp4->mdat_data.buf->file_last) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 mdat atom in \"%s\"", + mp4->file.name.data); +@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4, + if (data) { + entries = trak->sample_sizes_entries; + +- if (trak->start_sample > entries) { ++ if (trak->start_sample >= entries) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stsz samples in \"%s\"", + mp4->file.name.data); +@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 stco chunks in \"%s\"", + mp4->file.name.data); +@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4, + return NGX_ERROR; + } + +- if (trak->start_chunk > trak->chunks) { ++ if (trak->start_chunk >= trak->chunks) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "start time is out mp4 co64 chunks in \"%s\"", + mp4->file.name.data); +-- +2.53.0 + diff --git a/nginx.spec b/nginx.spec index 7ab7b7f..e422f18 100644 --- a/nginx.spec +++ b/nginx.spec @@ -131,6 +131,10 @@ Patch8: 0009-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.pat # upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45 Patch9: 0010-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch +# https://redhat.atlassian.net/browse/RHEL-157876 +# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f +Patch10: 0011-Mp4-avoid-zero-size-buffers-in-output.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2