[PATCH] MP4 32-bit chunk size buffer overrun fix per the corporatists (CVE-2024-7347 2024-08-14)
Maxim Dounin
mdounin at mdounin.ru
Fri Aug 23 23:49:03 UTC 2024
Hello!
On Thu, Aug 22, 2024 at 11:19:58PM -0500, skull-squadron wrote:
> # HG changeset patch
> # User skull-squadron <barry.allard at gmail.com>
> # Date 1724385465 18000
> # Thu Aug 22 22:57:45 2024 -0500
> # Node ID 045b92ed3e5a79153363cdae44278eb149fee6c2
> # Parent cf73b65983c2d093f5b6651f8b45b9973a68e9f5
> MP4 32-bit chunk size buffer overrun fix per the corporatists (CVE-2024-7347 2024-08-14)
[...]
I've recently posted a better patch, see here:
https://freenginx.org/pipermail/nginx-devel/2024-August/000474.html
Please take a look if it works for you.
As for the changes committed into F5 NGINX and the CVE assigned,
here are some thoughts, in no particular order:
- There are two clearly distinct issues here. If at all, CVE
numbers should be assigned to both of them.
- The real issues happen elsewhere. And, following existing array
access sanity checks, it might be a better idea to actually
check the array element is within the array just before access,
and avoid any assumptions about mp4-derived data. That is what
the patch referenced above does.
- While adding sanity checks in stsc atom handling might be
beneficial, they shouldn't be relied upon. And there are other
similar places to consider, such as potential overflows during
stts atom handling, which can result in arbitrary
trak->start_sample and trak->end_sample values. Similarly, there
are other data issues to consider as well, such as chunks with
zero samples per chunk in stsc atoms.
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx-devel
mailing list