rpms/nginx
7
0
Fork 1
Code Issues Pull Requests Releases Activity

RHEL-157891 CVE-2026-32647 nginx: NGINX: Denial of Service or Code Execution via specially crafted MP4 files

Browse Source 
Resolves: RHEL-157891

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
This commit is contained in:
pdancak 2026-04-14 12:52:08 +02:00
parent ab4f9d9a3b
commit 7b54278843
2 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
0019-Mp4-avoid-zero-size-buffers-in-output.patch Normal file
View File

@ -0,0 +1,74 @@
From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Sat, 21 Feb 2026 12:04:36 +0400
Subject: [PATCH] Mp4: avoid zero size buffers in output.
Previously, data validation checks did not cover the cases when the output
contained empty buffers. Such buffers are considered illegal and produce
"zero size buf in output" alerts. The change rejects the mp4 files which
produce such alerts.
Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
---
src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 445fab1cd..173d8ad54 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
}
}
- if (end_offset < start_offset) {
- end_offset = start_offset;
+ if (end_offset <= start_offset) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "no data between start time and end time in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
}
mp4->moov_size += 8;
@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
*prev = &mp4->mdat_atom;
- if (start_offset > mp4->mdat_data.buf->file_last) {
+ if (start_offset >= mp4->mdat_data.buf->file_last) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 mdat atom in \"%s\"",
mp4->file.name.data);
@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
if (data) {
entries = trak->sample_sizes_entries;
- if (trak->start_sample > entries) {
+ if (trak->start_sample >= entries) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stsz samples in \"%s\"",
mp4->file.name.data);
@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stco chunks in \"%s\"",
mp4->file.name.data);
@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 co64 chunks in \"%s\"",
mp4->file.name.data);
--
2.53.0

6
nginx.spec
View File

@ -136,6 +136,10 @@ Patch17: 0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.pat
# upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
Patch18: 0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
# https://redhat.atlassian.net/browse/RHEL-157891
# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
Patch19: 0019-Mp4-avoid-zero-size-buffers-in-output.patch
BuildRequires: make
BuildRequires: gcc
BuildRequires: gnupg2
@ -659,6 +663,8 @@ fi
due to memory corruption via crafted MP4 file
- Resolves: RHEL-159450 - CVE-2026-27651 nginx: NGINX: Denial of Service
via undisclosed requests when ngx_mail_auth_http_module is enabled
- Resolves: RHEL-157891 - CVE-2026-32647 nginx: NGINX: Denial of Service
or Code Execution via specially crafted MP4 files
* Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28
- Resolves: RHEL-146528 - CVE-2026-1642 nginx: NGINX: Data injection via