Mercurial > hg > nginx
view src/os/unix/ngx_dlopen.h @ 9322:d6f75dd66761 default tip
Mp4: added and updated sanity checks for "end" handling.
When handling incorrect data in ngx_http_mp4_crop_stsc_data(),
trak->end_chunk_samples might end up being arbitrary large, leading
to reading before the buffer in ngx_http_mp4_update_stsz_atom(). Fix
is to check that trak->end_chunk_samples corresponds to a memory within
the stsz atom data. For consistency, trak->start_chunk_samples
is checked similarly.
Similarly, trak->end_chunk might end up being smaller than trak->start_chunk,
leading to reading memory after the buffer in ngx_http_mp4_update_stco_atom()
and ngx_http_mp4_update_co64_atom(). Corresponding checks are updated
to explicitly test (trak->end_chunk - trak->start_chunk) instead of just
checking trak->end_chunk and assuming it is larger than trak->start_chunk.
This is generally in line with existing checks of
(trak->end_sample - trak->start_sample) in ngx_http_mp4_update_stsz_atom(),
where trak->end_sample might also become smaller than trak->start_sample
when handling incorrect data in ngx_http_mp4_crop_stts_data().
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sun, 25 Aug 2024 06:35:40 +0300 |
parents | 7142b04337d6 |
children |
line wrap: on
line source
/* * Copyright (C) Maxim Dounin * Copyright (C) Nginx, Inc. */ #ifndef _NGX_DLOPEN_H_INCLUDED_ #define _NGX_DLOPEN_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #define ngx_dlopen(path) dlopen((char *) path, RTLD_NOW | RTLD_GLOBAL) #define ngx_dlopen_n "dlopen()" #define ngx_dlsym(handle, symbol) dlsym(handle, symbol) #define ngx_dlsym_n "dlsym()" #define ngx_dlclose(handle) dlclose(handle) #define ngx_dlclose_n "dlclose()" #if (NGX_HAVE_DLOPEN) char *ngx_dlerror(void); #endif #endif /* _NGX_DLOPEN_H_INCLUDED_ */