[PATCH 3 of 3] Mp4: fixed off-by-one in stco/co64 chunk number tests
Maxim Dounin
mdounin at mdounin.ru
Sun Mar 8 02:43:40 UTC 2026
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1772936218 -10800
# Sun Mar 08 05:16:58 2026 +0300
# Node ID 2ba8f363ec1d6529dedc278100abc9e07609f3ee
# Parent 76e10dcd0806af14721671ced78b13dfbe4cd437
Mp4: fixed off-by-one in stco/co64 chunk number tests.
Previously, if trak->start_chunk was exactly equal to the number of entries
in the stco/co64 atom (trak->chunks), it wasn't rejected by the tests
in ngx_http_mp4_update_stco_atom() (and ngx_http_mp4_update_co64_atom()),
and the following code accessed a value past the stco/co64 atom, potentially
resulting in segmentation faults.
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -3606,7 +3606,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_m
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stco chunks in \"%s\"",
mp4->file.name.data);
@@ -3823,7 +3823,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_m
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 co64 chunks in \"%s\"",
mp4->file.name.data);
More information about the nginx-devel
mailing list