[PATCH] Mp4: fixed potential overflow in ngx_http_mp4_crop_stts_data()
Maxim Dounin
mdounin at mdounin.ru
Tue Jun 7 19:00:53 UTC 2022
Hello!
On Tue, Jun 07, 2022 at 05:16:45PM +0400, Roman Arutyunyan wrote:
> On Tue, May 31, 2022 at 12:05:13AM +0300, Maxim Dounin wrote:
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1653942033 -10800
> > # Mon May 30 23:20:33 2022 +0300
> > # Node ID d5363be9fa61e0327574b8aa1342c874efd027b0
> > # Parent cd40709c91e245036e7f71a6c3e5190d9533be75
> > Mp4: fixed potential overflow in ngx_http_mp4_crop_stts_data().
> >
> > Both "count" and "duration" variables are 32-bit, so their product might
> > potentially overflow. It is used to reduce 64-bit start_time variable,
> > and with very large start_time this can result in incorrect seeking.
> >
> > Found by Coverity (CID 1499904).
> >
> > diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
> > --- a/src/http/modules/ngx_http_mp4_module.c
> > +++ b/src/http/modules/ngx_http_mp4_module.c
> > @@ -2331,7 +2331,7 @@ ngx_http_mp4_crop_stts_data(ngx_http_mp4
> > }
> >
> > start_sample += count;
> > - start_time -= count * duration;
> > + start_time -= (uint64_t) count * duration;
> > entries--;
> > entry++;
> > }
>
> Looks fine
Pushed to http://mdounin.ru/hg/nginx.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list