Mercurial > hg > nginx
view docs/dtd/change_log_conf.dtd @ 9322:d6f75dd66761
Mp4: added and updated sanity checks for "end" handling.
When handling incorrect data in ngx_http_mp4_crop_stsc_data(),
trak->end_chunk_samples might end up being arbitrary large, leading
to reading before the buffer in ngx_http_mp4_update_stsz_atom(). Fix
is to check that trak->end_chunk_samples corresponds to a memory within
the stsz atom data. For consistency, trak->start_chunk_samples
is checked similarly.
Similarly, trak->end_chunk might end up being smaller than trak->start_chunk,
leading to reading memory after the buffer in ngx_http_mp4_update_stco_atom()
and ngx_http_mp4_update_co64_atom(). Corresponding checks are updated
to explicitly test (trak->end_chunk - trak->start_chunk) instead of just
checking trak->end_chunk and assuming it is larger than trak->start_chunk.
This is generally in line with existing checks of
(trak->end_sample - trak->start_sample) in ngx_http_mp4_update_stsz_atom(),
where trak->end_sample might also become smaller than trak->start_sample
when handling incorrect data in ngx_http_mp4_crop_stts_data().
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sun, 25 Aug 2024 06:35:40 +0300 |
parents | 551102312e19 |
children |
line wrap: on
line source
<!ELEMENT configuration (length, start, indent, changes+) > <!ELEMENT length (#PCDATA) > <!ELEMENT start (#PCDATA) > <!ELEMENT indent (#PCDATA) > <!ELEMENT changes (title, length, bugfix, feature, change, workaround, (month, month, month, month, month, month, month, month, month, month, month, month)?) > <!ATTLIST changes lang ( ru | en) #REQUIRED> <!ELEMENT title (#PCDATA) > <!ELEMENT bugfix (#PCDATA) > <!ELEMENT feature (#PCDATA) > <!ELEMENT change (#PCDATA) > <!ELEMENT workaround (#PCDATA) > <!ELEMENT month (#PCDATA) >