Mercurial > hg > nginx

diff src/http/modules/ngx_http_mp4_module.c @ 7376:e5069816039b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Mp4: fixed reading 64-bit atoms. Previously there was no validation for the size of a 64-bit atom in an mp4 file. This could lead to a CPU hog when the size is 0, or various other problems due to integer underflow when calculating atom data size, including segmentation fault or worker process memory disclosure.
author Roman Arutyunyan <arut@nginx.com>
date Tue, 06 Nov 2018 16:29:18 +0300
parents 99934aade555
children be5cb9c67c05
line wrap: on
line diff
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -942,6 +942,13 @@ ngx_http_mp4_read_atom(ngx_http_mp4_file
                 atom_size = ngx_mp4_get_64value(atom_header + 8);
                 atom_header_size = sizeof(ngx_mp4_atom_header64_t);
 
+                if (atom_size < sizeof(ngx_mp4_atom_header64_t)) {
+                    ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                                  "\"%s\" mp4 atom is too small:%uL",
+                                  mp4->file.name.data, atom_size);
+                    return NGX_ERROR;
+                }
+
             } else {
                 ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
                               "\"%s\" mp4 atom is too small:%uL",