[PATCH 1 of 3] Mp4: fixed ngx_http_mp4_seek_key_frame()

Sun Mar 8 02:43:38 UTC 2026

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1772936214 -10800
#      Sun Mar 08 05:16:54 2026 +0300
# Node ID a98f57c9c8fb0e760d43fe9b507cd51e7da427cc
# Parent  87c2bbf0e078ab8e52100a1324cf7ebb64b6b96d
Mp4: fixed ngx_http_mp4_seek_key_frame().

Previously, ngx_http_mp4_seek_key_frame() might return key frame prefix
larger than start_sample provided in function arguments, notably on an
invalid stss entry with zero sample_number.  This resulted in backwards
loop in ngx_http_mp4_crop_stts_data() to incorrectly access data before
the stts atom entries (and stop at the stts atom header mostly by chance).

The fix is to make sure ngx_http_mp4_seek_key_frame() always returns
a value equal or smaller than start_sample provided, regardless of the
stss entries.  Invalid entries with zero sample_number now will be
interpreted as if there very large sample_number, so the previous one
will be returned.

diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2528,13 +2528,14 @@ ngx_http_mp4_seek_key_frame(ngx_http_mp4
     entry = (uint32_t *) data->pos;
     end = (uint32_t *) data->last;
 
-    /* sync samples starts from 1 */
-    start_sample++;
-
     key_prefix = 0;
 
     while (entry < end) {
         sample = ngx_mp4_get_32value(entry);
+
+        /* sync samples starts from 1 */
+        sample--;
+
         if (sample > start_sample) {
             break;
         }

