75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
From 7725c372c2fe11ff908b1d6138be219ad694c42f Mon Sep 17 00:00:00 2001
|
|
From: Roman Arutyunyan <arut@nginx.com>
|
|
Date: Sat, 21 Feb 2026 12:04:36 +0400
|
|
Subject: [PATCH] Mp4: avoid zero size buffers in output.
|
|
|
|
Previously, data validation checks did not cover the cases when the output
|
|
contained empty buffers. Such buffers are considered illegal and produce
|
|
"zero size buf in output" alerts. The change rejects the mp4 files which
|
|
produce such alerts.
|
|
|
|
Also, the change fixes possible buffer overread and overwrite that could
|
|
happen while processing empty stco and co64 atoms, as reported by
|
|
Pavel Kohout (Aisle Research) and Tim Becker.
|
|
---
|
|
src/http/modules/ngx_http_mp4_module.c | 15 +++++++++------
|
|
1 file changed, 9 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
|
|
index 445fab1cd..173d8ad54 100644
|
|
--- a/src/http/modules/ngx_http_mp4_module.c
|
|
+++ b/src/http/modules/ngx_http_mp4_module.c
|
|
@@ -901,8 +901,11 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
|
|
}
|
|
}
|
|
|
|
- if (end_offset < start_offset) {
|
|
- end_offset = start_offset;
|
|
+ if (end_offset <= start_offset) {
|
|
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
+ "no data between start time and end time in \"%s\"",
|
|
+ mp4->file.name.data);
|
|
+ return NGX_ERROR;
|
|
}
|
|
|
|
mp4->moov_size += 8;
|
|
@@ -913,7 +916,7 @@ ngx_http_mp4_process(ngx_http_mp4_file_t *mp4)
|
|
|
|
*prev = &mp4->mdat_atom;
|
|
|
|
- if (start_offset > mp4->mdat_data.buf->file_last) {
|
|
+ if (start_offset >= mp4->mdat_data.buf->file_last) {
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"start time is out mp4 mdat atom in \"%s\"",
|
|
mp4->file.name.data);
|
|
@@ -3444,7 +3447,7 @@ ngx_http_mp4_update_stsz_atom(ngx_http_mp4_file_t *mp4,
|
|
if (data) {
|
|
entries = trak->sample_sizes_entries;
|
|
|
|
- if (trak->start_sample > entries) {
|
|
+ if (trak->start_sample >= entries) {
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"start time is out mp4 stsz samples in \"%s\"",
|
|
mp4->file.name.data);
|
|
@@ -3619,7 +3622,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
- if (trak->start_chunk > trak->chunks) {
|
|
+ if (trak->start_chunk >= trak->chunks) {
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"start time is out mp4 stco chunks in \"%s\"",
|
|
mp4->file.name.data);
|
|
@@ -3834,7 +3837,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
|
|
return NGX_ERROR;
|
|
}
|
|
|
|
- if (trak->start_chunk > trak->chunks) {
|
|
+ if (trak->start_chunk >= trak->chunks) {
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"start time is out mp4 co64 chunks in \"%s\"",
|
|
mp4->file.name.data);
|
|
--
|
|
2.53.0
|
|
|