[nginx] Mp4: fixed entries tests on 32-bit platforms.
Maxim Dounin
mdounin at mdounin.ru
Tue Mar 10 01:39:22 UTC 2026
details: http://freenginx.org/hg/nginx/rev/efe2b1c11265
branches:
changeset: 9476:efe2b1c11265
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue Mar 10 04:31:28 2026 +0300
description:
Mp4: fixed entries tests on 32-bit platforms.
Previously, tests for the number of entries in various atom read functions
used the "entries * sizeof(uint32_t)" construct, with entries being uint32_t.
On platforms with 32-bit sizeof() this will overflow, leading to a smaller
result. This isn't a real issue in most cases, since the same construct
is used to calculate atom_end pointer. Still, in some cases the number
of entries is used directly, such as in stco/co64 atom updating, and a
large value might result in segmentation faults.
The fix is to cast "entries" to uint64_t before the multiplication to avoid
the overflow.
diffstat:
src/http/modules/ngx_http_mp4_module.c | 14 +++++++-------
1 files changed, 7 insertions(+), 7 deletions(-)
diffs (66 lines):
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2302,7 +2302,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4
"mp4 time-to-sample entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t)
- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stts atom too small", mp4->file.name.data);
@@ -2606,7 +2606,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stss atom too small", mp4->file.name.data);
@@ -2811,7 +2811,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4
atom->last = atom_table;
if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t)
- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 ctts atom too small", mp4->file.name.data);
@@ -2993,7 +2993,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4
"sample-to-chunk entries:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t)
- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsc atom too small", mp4->file.name.data);
@@ -3363,7 +3363,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4
if (size == 0) {
if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stsz atom too small",
@@ -3536,7 +3536,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t)
- + entries * sizeof(uint32_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 stco atom too small", mp4->file.name.data);
@@ -3754,7 +3754,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t)
- + entries * sizeof(uint64_t) > atom_data_size)
+ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size)
{
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"\"%s\" mp4 co64 atom too small", mp4->file.name.data);
More information about the nginx-devel
mailing list