upstream/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-04-15 22:09:26 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Mp4: validate sync sample values in stss atom.
Some checks are pending
buildbot / buildbot (push) Waiting to run
Details

Browse source 
Per ISO 14496-12 Section 8.6.2, sync sample numbers must be 1-based.
A zero-valued stss entry caused ngx_http_mp4_seek_key_frame() to
return a key_prefix exceeding the samples consumed in the forward
stts pass, which led the backward loop in ngx_http_mp4_crop_stts_data()
to walk past the beginning of the stts data buffer.

The fix validates each stss entry in ngx_http_mp4_seek_key_frame()
and returns an error if a zero sync sample is encountered.  The
function signature is changed to return ngx_int_t so it can signal
errors to the caller.
This commit is contained in:
CodeByMoriarty 2026-02-22 16:45:47 -08:00 committed by Roman Arutyunyan
parent ec714d52bd
commit bb8ec295ab
1 changed files with 25 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
src/http/modules/ngx_http_mp4_module.c
View file

@ -318,8 +318,8 @@ static ngx_int_t ngx_http_mp4_update_stts_atom(ngx_http_mp4_file_t *mp4,
ngx_http_mp4_trak_t *trak);
static ngx_int_t ngx_http_mp4_crop_stts_data(ngx_http_mp4_file_t *mp4,
ngx_http_mp4_trak_t *trak, ngx_uint_t start);
static uint32_t ngx_http_mp4_seek_key_frame(ngx_http_mp4_file_t *mp4,
ngx_http_mp4_trak_t *trak, uint32_t start_sample);
static ngx_int_t ngx_http_mp4_seek_key_frame(ngx_http_mp4_file_t *mp4,
ngx_http_mp4_trak_t *trak, uint32_t start_sample, uint32_t *key_prefix);
static ngx_int_t ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4,
uint64_t atom_data_size);
static ngx_int_t ngx_http_mp4_update_stss_atom(ngx_http_mp4_file_t *mp4,
@ -2455,7 +2455,11 @@ ngx_http_mp4_crop_stts_data(ngx_http_mp4_file_t *mp4,
found:
if (start) {
key_prefix = ngx_http_mp4_seek_key_frame(mp4, trak, start_sample);
if (ngx_http_mp4_seek_key_frame(mp4, trak, start_sample, &key_prefix)
!= NGX_OK)
{
return NGX_ERROR;
}
start_sample -= key_prefix;
@ -2499,22 +2503,24 @@ found:
}
static uint32_t
static ngx_int_t
ngx_http_mp4_seek_key_frame(ngx_http_mp4_file_t *mp4, ngx_http_mp4_trak_t *trak,
uint32_t start_sample)
uint32_t start_sample, uint32_t *key_prefix)
{
uint32_t key_prefix, sample, *entry, *end;
uint32_t sample, *entry, *end;
ngx_buf_t *data;
ngx_http_mp4_conf_t *conf;
*key_prefix = 0;
conf = ngx_http_get_module_loc_conf(mp4->request, ngx_http_mp4_module);
if (!conf->start_key_frame) {
return 0;
return NGX_OK;
}
data = trak->out[NGX_HTTP_MP4_STSS_DATA].buf;
if (data == NULL) {
return 0;
return NGX_OK;
}
entry = (uint32_t *) data->pos;
@ -2523,22 +2529,28 @@ ngx_http_mp4_seek_key_frame(ngx_http_mp4_file_t *mp4, ngx_http_mp4_trak_t *trak,
/* sync samples starts from 1 */
start_sample++;
key_prefix = 0;
while (entry < end) {
sample = ngx_mp4_get_32value(entry);
if (sample == 0) {
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
"zero sync sample in \"%s\"",
mp4->file.name.data);
return NGX_ERROR;
}
if (sample > start_sample) {
break;
}
key_prefix = start_sample - sample;
*key_prefix = start_sample - sample;
entry++;
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
"mp4 key frame prefix:%uD", key_prefix);
"mp4 key frame prefix:%uD", *key_prefix);
return key_prefix;
return NGX_OK;
}