[nginx] Mp4: fixed off-by-one in stco/co64 chunk number tests.
Maxim Dounin
mdounin at mdounin.ru
Tue Mar 10 01:39:22 UTC 2026
details: http://freenginx.org/hg/nginx/rev/a7c60a17c215
branches:
changeset: 9477:a7c60a17c215
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue Mar 10 04:31:31 2026 +0300
description:
Mp4: fixed off-by-one in stco/co64 chunk number tests.
Previously, if trak->start_chunk was exactly equal to the number of entries
in the stco/co64 atom (trak->chunks), it wasn't rejected by the tests
in ngx_http_mp4_update_stco_atom() (and ngx_http_mp4_update_co64_atom()),
and the following code accessed a value past the stco/co64 atom, potentially
resulting in segmentation faults.
diffstat:
src/http/modules/ngx_http_mp4_module.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diffs (21 lines):
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -3606,7 +3606,7 @@ ngx_http_mp4_update_stco_atom(ngx_http_m
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 stco chunks in \"%s\"",
mp4->file.name.data);
@@ -3823,7 +3823,7 @@ ngx_http_mp4_update_co64_atom(ngx_http_m
return NGX_ERROR;
}
- if (trak->start_chunk > trak->chunks) {
+ if (trak->start_chunk >= trak->chunks) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"start time is out mp4 co64 chunks in \"%s\"",
mp4->file.name.data);
More information about the nginx-devel
mailing list