From 7b54278843782c8cf4fea7aaa895cd0b56a1f894 Mon Sep 17 00:00:00 2001
From: pdancak <pdancak@redhat.com>
Date: Tue, 14 Apr 2026 12:52:08 +0200
Subject: [PATCH] RHEL-157891 CVE-2026-32647 nginx: NGINX: Denial of Service or
 Code Execution via specially crafted MP4 files

Resolves: RHEL-157891

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
---
 ...p4-avoid-zero-size-buffers-in-output.patch | 74 +++++++++++++++++++
 nginx.spec                                    |  6 ++
 2 files changed, 80 insertions(+)
 create mode 100644 0019-Mp4-avoid-zero-size-buffers-in-output.patch

diff --git a/0019-Mp4-avoid-zero-size-buffers-in-output.patch b/0019-Mp4-avoid-zero-size-buffers-in-output.patch
new file mode 100644
index 0000000..f4edbf9
--- /dev/null
+++ b/0019-Mp4-avoid-zero-size-buffers-in-output.patch
@@ -0,0 +1,74 @@
+From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Sat, 21 Feb 2026 12:04:36 +0400
+Subject: [PATCH] Mp4: avoid zero size buffers in output.
+
+Previously, data validation checks did not cover the cases when the output
+contained empty buffers.  Such buffers are considered illegal and produce
+"zero size buf in output" alerts.  The change rejects the mp4 files which
+produce such alerts.
+
+Also, the change fixes possible buffer overread and overwrite that could
+happen while processing empty stco and co64 atoms, as reported by
+Pavel Kohout (Aisle Research) and Tim Becker.
+---
+ src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+index 445fab1cd..173d8ad54 100644
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+         }
+     }
+ 
+-    if (end_offset < start_offset) {
+-        end_offset = start_offset;
++    if (end_offset <= start_offset) {
++        ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                      "no data between start time and end time in \"%s\"",
++                      mp4->file.name.data);
++        return NGX_ERROR;
+     }
+ 
+     mp4->moov_size += 8;
+@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
+ 
+     *prev = &mp4->mdat_atom;
+ 
+-    if (start_offset > mp4->mdat_data.buf->file_last) {
++    if (start_offset >= mp4->mdat_data.buf->file_last) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "start time is out mp4 mdat atom in \"%s\"",
+                       mp4->file.name.data);
+@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
+     if (data) {
+         entries = trak->sample_sizes_entries;
+ 
+-        if (trak->start_sample > entries) {
++        if (trak->start_sample >= entries) {
+             ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                           "start time is out mp4 stsz samples in \"%s\"",
+                           mp4->file.name.data);
+@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
+         return NGX_ERROR;
+     }
+ 
+-    if (trak->start_chunk > trak->chunks) {
++    if (trak->start_chunk >= trak->chunks) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "start time is out mp4 stco chunks in \"%s\"",
+                       mp4->file.name.data);
+@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
+         return NGX_ERROR;
+     }
+ 
+-    if (trak->start_chunk > trak->chunks) {
++    if (trak->start_chunk >= trak->chunks) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                       "start time is out mp4 co64 chunks in \"%s\"",
+                       mp4->file.name.data);
+-- 
+2.53.0
+
diff --git a/nginx.spec b/nginx.spec
index 1ad643d..50d1d57 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -136,6 +136,10 @@ Patch17:           0017-Mp4-fixed-possible-integer-overflow-on-32-bit-platfo.pat
 # upstream patch - https://github.com/nginx/nginx/commit/9bc13718fe8a59a45
 Patch18:           0018-Mail-fixed-clearing-s-passwd-in-auth-http-requests.patch
 
+# https://redhat.atlassian.net/browse/RHEL-157891
+# upstream patch - https://github.com/nginx/nginx/commit/7725c372c2f
+Patch19:           0019-Mp4-avoid-zero-size-buffers-in-output.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -659,6 +663,8 @@ fi
   due to memory corruption via crafted MP4 file
 - Resolves: RHEL-159450 - CVE-2026-27651 nginx: NGINX: Denial of Service
   via undisclosed requests when ngx_mail_auth_http_module is enabled
+- Resolves: RHEL-157891 - CVE-2026-32647 nginx: NGINX: Denial of Service
+  or Code Execution via specially crafted MP4 files
 
 * Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28
 - Resolves: RHEL-146528 - CVE-2026-1642 nginx: NGINX: Data injection via