nginx: src/http/modules/ngx_http_mp4

comparison src/http/modules/ngx_http_mp4_module.c @ 7629:f47f7d3d1bfa

Mp4: fixed possible chunk offset overflow. In "co64" atom chunk start offset is a 64-bit unsigned integer. When trimming the "mdat" atom, chunk offsets are casted to off_t values which are typically 64-bit signed integers. A specially crafted mp4 file with huge chunk offsets may lead to off_t overflow and result in negative trim boundaries. The consequences of the overflow are: - Incorrect Content-Length header value in the response. - Negative left boundary of the response file buffer holding the trimmed "mdat". This leads to pread()/sendfile() errors followed by closing the client connection. On rare systems where off_t is a 32-bit integer, this scenario is also feasible with the "stco" atom. The fix is to add checks which make sure data chunks referenced by each track are within the mp4 file boundaries. Additionally a few more checks are added to ensure mp4 file consistency and log errors.

author	Roman Arutyunyan <arut@nginx.com>
date	Wed, 26 Feb 2020 15:10:46 +0300
parents	be5cb9c67c05
children	7a55311b0dc3

comparison

equal deleted inserted replaced

-:2e3bfd696ecb
+:f47f7d3d1bfa
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
 "chunk samples sizes:%uL",
 trak->start_chunk_samples_size);
+if (trak->start_chunk_samples_size > (uint64_t) mp4->end) {
+ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+"too large mp4 start samples size in \"%s\"",
+mp4->file.name.data);
+return NGX_ERROR;
+}
 if (mp4->length) {
 if (trak->end_sample - trak->start_sample > entries) {
 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
 "end time is out mp4 stsz samples in \"%s\"",
 mp4->file.name.data);
 }
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
 "mp4 stsz end_chunk_samples_size:%uL",
 trak->end_chunk_samples_size);
+if (trak->end_chunk_samples_size > (uint64_t) mp4->end) {
+ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+"too large mp4 end samples size in \"%s\"",
+mp4->file.name.data);
+return NGX_ERROR;
+}
 }
 atom_size = sizeof(ngx_mp4_stsz_atom_t) + (data->last - data->pos);
 trak->size += atom_size;
 ngx_http_mp4_update_stco_atom(ngx_http_mp4_file_t *mp4,
 ngx_http_mp4_trak_t *trak)
 {
 size_t                atom_size;
 uint32_t              entries;
+uint64_t              chunk_offset, samples_size;
 ngx_buf_t            *atom, *data;
 ngx_mp4_stco_atom_t  *stco_atom;
 /*
 * mdia.minf.stbl.stco updating requires trak->start_chunk
 return NGX_ERROR;
 }
 data->pos += trak->start_chunk * sizeof(uint32_t);
-trak->start_offset = ngx_mp4_get_32value(data->pos);
+chunk_offset = ngx_mp4_get_32value(data->pos);
-trak->start_offset += trak->start_chunk_samples_size;
+samples_size = trak->start_chunk_samples_size;
+if (chunk_offset > (uint64_t) mp4->end - samples_size
+|| chunk_offset + samples_size > NGX_MAX_UINT32_VALUE)
+{
+ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+"too large chunk offset in \"%s\"",
+mp4->file.name.data);
+return NGX_ERROR;
+}
+trak->start_offset = chunk_offset + samples_size;
 ngx_mp4_set_32value(data->pos, trak->start_offset);
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
 "start chunk offset:%O", trak->start_offset);
 entries = trak->end_chunk - trak->start_chunk;
 data->last = data->pos + entries * sizeof(uint32_t);
 if (entries) {
-trak->end_offset =
+chunk_offset = ngx_mp4_get_32value(data->last - sizeof(uint32_t));
-ngx_mp4_get_32value(data->last - sizeof(uint32_t));
+samples_size = trak->end_chunk_samples_size;
-trak->end_offset += trak->end_chunk_samples_size;
+if (chunk_offset > (uint64_t) mp4->end - samples_size
+|| chunk_offset + samples_size > NGX_MAX_UINT32_VALUE)
+{
+ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+"too large chunk offset in \"%s\"",
+mp4->file.name.data);
+return NGX_ERROR;
+}
+trak->end_offset = chunk_offset + samples_size;
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
 "end chunk offset:%O", trak->end_offset);
 }
 static ngx_int_t
 ngx_http_mp4_update_co64_atom(ngx_http_mp4_file_t *mp4,
 ngx_http_mp4_trak_t *trak)
 {
 size_t                atom_size;
-uint64_t              entries;
+uint64_t              entries, chunk_offset, samples_size;
 ngx_buf_t            *atom, *data;
 ngx_mp4_co64_atom_t  *co64_atom;
 /*
 * mdia.minf.stbl.co64 updating requires trak->start_chunk
 return NGX_ERROR;
 }
 data->pos += trak->start_chunk * sizeof(uint64_t);
-trak->start_offset = ngx_mp4_get_64value(data->pos);
+chunk_offset = ngx_mp4_get_64value(data->pos);
-trak->start_offset += trak->start_chunk_samples_size;
+samples_size = trak->start_chunk_samples_size;
+if (chunk_offset > (uint64_t) mp4->end - samples_size) {
+ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+"too large chunk offset in \"%s\"",
+mp4->file.name.data);
+return NGX_ERROR;
+}
+trak->start_offset = chunk_offset + samples_size;
 ngx_mp4_set_64value(data->pos, trak->start_offset);
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
 "start chunk offset:%O", trak->start_offset);
 entries = trak->end_chunk - trak->start_chunk;
 data->last = data->pos + entries * sizeof(uint64_t);
 if (entries) {
-trak->end_offset =
+chunk_offset = ngx_mp4_get_64value(data->last - sizeof(uint64_t));
-ngx_mp4_get_64value(data->last - sizeof(uint64_t));
+samples_size = trak->end_chunk_samples_size;
-trak->end_offset += trak->end_chunk_samples_size;
+if (chunk_offset > (uint64_t) mp4->end - samples_size) {
+ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+"too large chunk offset in \"%s\"",
+mp4->file.name.data);
+return NGX_ERROR;
+}
+trak->end_offset = chunk_offset + samples_size;
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
 "end chunk offset:%O", trak->end_offset);
 }

Mercurial > hg > nginx

comparison src/http/modules/ngx_http_mp4_module.c @ 7629:f47f7d3d1bfa