[PATCH] Mp4: fixed potential overflow in ngx_http_mp4_crop_stts_data()

Maxim Dounin mdounin at mdounin.ru
Mon May 30 21:05:13 UTC 2022


# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1653942033 -10800
#      Mon May 30 23:20:33 2022 +0300
# Node ID d5363be9fa61e0327574b8aa1342c874efd027b0
# Parent  cd40709c91e245036e7f71a6c3e5190d9533be75
Mp4: fixed potential overflow in ngx_http_mp4_crop_stts_data().

Both "count" and "duration" variables are 32-bit, so their product might
potentially overflow.  It is used to reduce 64-bit start_time variable,
and with very large start_time this can result in incorrect seeking.

Found by Coverity (CID 1499904).

diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2331,7 +2331,7 @@ ngx_http_mp4_crop_stts_data(ngx_http_mp4
         }
 
         start_sample += count;
-        start_time -= count * duration;
+        start_time -= (uint64_t) count * duration;
         entries--;
         entry++;
     }



More information about the nginx-devel mailing list