Mercurial > hg > nginx
view auto/feature @ 7629:f47f7d3d1bfa
Mp4: fixed possible chunk offset overflow.
In "co64" atom chunk start offset is a 64-bit unsigned integer. When trimming
the "mdat" atom, chunk offsets are casted to off_t values which are typically
64-bit signed integers. A specially crafted mp4 file with huge chunk offsets
may lead to off_t overflow and result in negative trim boundaries.
The consequences of the overflow are:
- Incorrect Content-Length header value in the response.
- Negative left boundary of the response file buffer holding the trimmed "mdat".
This leads to pread()/sendfile() errors followed by closing the client
connection.
On rare systems where off_t is a 32-bit integer, this scenario is also feasible
with the "stco" atom.
The fix is to add checks which make sure data chunks referenced by each track
are within the mp4 file boundaries. Additionally a few more checks are added to
ensure mp4 file consistency and log errors.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Wed, 26 Feb 2020 15:10:46 +0300 |
parents | e3faa5fb7772 |
children |
line wrap: on
line source
# Copyright (C) Igor Sysoev # Copyright (C) Nginx, Inc. echo $ngx_n "checking for $ngx_feature ...$ngx_c" cat << END >> $NGX_AUTOCONF_ERR ---------------------------------------- checking for $ngx_feature END ngx_found=no if test -n "$ngx_feature_name"; then ngx_have_feature=`echo $ngx_feature_name \ | tr abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ` fi if test -n "$ngx_feature_path"; then for ngx_temp in $ngx_feature_path; do ngx_feature_inc_path="$ngx_feature_inc_path -I $ngx_temp" done fi cat << END > $NGX_AUTOTEST.c #include <sys/types.h> $NGX_INCLUDE_UNISTD_H $ngx_feature_incs int main(void) { $ngx_feature_test; return 0; } END ngx_test="$CC $CC_TEST_FLAGS $CC_AUX_FLAGS $ngx_feature_inc_path \ -o $NGX_AUTOTEST $NGX_AUTOTEST.c $NGX_TEST_LD_OPT $ngx_feature_libs" ngx_feature_inc_path= eval "/bin/sh -c \"$ngx_test\" >> $NGX_AUTOCONF_ERR 2>&1" if [ -x $NGX_AUTOTEST ]; then case "$ngx_feature_run" in yes) # /bin/sh is used to intercept "Killed" or "Abort trap" messages if /bin/sh -c $NGX_AUTOTEST >> $NGX_AUTOCONF_ERR 2>&1; then echo " found" ngx_found=yes if test -n "$ngx_feature_name"; then have=$ngx_have_feature . auto/have fi else echo " found but is not working" fi ;; value) # /bin/sh is used to intercept "Killed" or "Abort trap" messages if /bin/sh -c $NGX_AUTOTEST >> $NGX_AUTOCONF_ERR 2>&1; then echo " found" ngx_found=yes cat << END >> $NGX_AUTO_CONFIG_H #ifndef $ngx_feature_name #define $ngx_feature_name `$NGX_AUTOTEST` #endif END else echo " found but is not working" fi ;; bug) # /bin/sh is used to intercept "Killed" or "Abort trap" messages if /bin/sh -c $NGX_AUTOTEST >> $NGX_AUTOCONF_ERR 2>&1; then echo " not found" else echo " found" ngx_found=yes if test -n "$ngx_feature_name"; then have=$ngx_have_feature . auto/have fi fi ;; *) echo " found" ngx_found=yes if test -n "$ngx_feature_name"; then have=$ngx_have_feature . auto/have fi ;; esac else echo " not found" echo "----------" >> $NGX_AUTOCONF_ERR cat $NGX_AUTOTEST.c >> $NGX_AUTOCONF_ERR echo "----------" >> $NGX_AUTOCONF_ERR echo $ngx_test >> $NGX_AUTOCONF_ERR echo "----------" >> $NGX_AUTOCONF_ERR fi rm -rf $NGX_AUTOTEST*