1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Mon, 12 Aug 2024 18:20:45 +0400
Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom.
Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom()
this caused buffer overread while trying to calculate trak->end_offset.
CVE: CVE-2024-7347
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
src/http/modules/ngx_http_mp4_module.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index 1cd017c274..041ad263b5 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
next_chunk = ngx_mp4_get_32value(entry->chunk);
+ if (next_chunk < chunk) {
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+ "unordered mp4 stsc chunks in \"%s\"",
+ mp4->file.name.data);
+ return NGX_ERROR;
+ }
+
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
"sample:%uD, chunk:%uD, chunks:%uD, "
"samples:%uD, id:%uD",
|
