mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
nginx: Backport fix for CVE-2024-7347
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f and https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4] Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Ashish Sharma
committed by
Armin Kuster
Armin Kuster
parent
28f14d5d19
commit
b7148ebb47
@@ -0,0 +1,34 @@
|
|||||||
|
From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Roman Arutyunyan <arut@nginx.com>
|
||||||
|
Date: Mon, 12 Aug 2024 18:20:45 +0400
|
||||||
|
Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom.
|
||||||
|
|
||||||
|
Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk
|
||||||
|
in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom()
|
||||||
|
this caused buffer overread while trying to calculate trak->end_offset.
|
||||||
|
|
||||||
|
CVE: CVE-2024-7347
|
||||||
|
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f]
|
||||||
|
Signed-off-by: Ashish Sharma <asharma@mvista.com>
|
||||||
|
|
||||||
|
src/http/modules/ngx_http_mp4_module.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
|
||||||
|
index 1cd017c274..041ad263b5 100644
|
||||||
|
--- a/src/http/modules/ngx_http_mp4_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_mp4_module.c
|
||||||
|
@@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||||
|
|
||||||
|
next_chunk = ngx_mp4_get_32value(entry->chunk);
|
||||||
|
|
||||||
|
+ if (next_chunk < chunk) {
|
||||||
|
+ ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||||
|
+ "unordered mp4 stsc chunks in \"%s\"",
|
||||||
|
+ mp4->file.name.data);
|
||||||
|
+ return NGX_ERROR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
|
||||||
|
"sample:%uD, chunk:%uD, chunks:%uD, "
|
||||||
|
"samples:%uD, id:%uD",
|
||||||
@@ -0,0 +1,52 @@
|
|||||||
|
From 7362d01658b61184108c21278443910da68f93b4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Roman Arutyunyan <arut@nginx.com>
|
||||||
|
Date: Mon, 12 Aug 2024 18:20:43 +0400
|
||||||
|
Subject: [PATCH] Mp4: fixed buffer underread while updating stsz atom.
|
||||||
|
|
||||||
|
While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer
|
||||||
|
overflow could happen, which could result in incorrect seeking and a very large
|
||||||
|
value stored in "samples". This resulted in a large invalid value of
|
||||||
|
trak->end_chunk_samples. This value is further used to calculate the value of
|
||||||
|
trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing
|
||||||
|
this, a large invalid value of trak->end_chunk_samples could result in reading
|
||||||
|
memory before stsz atom start. This could potentially result in a segfault.
|
||||||
|
|
||||||
|
CVE: CVE-2024-7347
|
||||||
|
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4]
|
||||||
|
Signed-off-by: Ashish Sharma <asharma@mvista.com>
|
||||||
|
|
||||||
|
src/http/modules/ngx_http_mp4_module.c | 7 ++++---
|
||||||
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
|
||||||
|
index 03175dea21..1cd017c274 100644
|
||||||
|
--- a/src/http/modules/ngx_http_mp4_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_mp4_module.c
|
||||||
|
@@ -3099,7 +3099,8 @@ static ngx_int_t
|
||||||
|
ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||||
|
ngx_http_mp4_trak_t *trak, ngx_uint_t start)
|
||||||
|
{
|
||||||
|
- uint32_t start_sample, chunk, samples, id, next_chunk, n,
|
||||||
|
+ uint64_t n;
|
||||||
|
+ uint32_t start_sample, chunk, samples, id, next_chunk,
|
||||||
|
prev_samples;
|
||||||
|
ngx_buf_t *data, *buf;
|
||||||
|
ngx_uint_t entries, target_chunk, chunk_samples;
|
||||||
|
@@ -3160,7 +3161,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||||
|
"samples:%uD, id:%uD",
|
||||||
|
start_sample, chunk, next_chunk - chunk, samples, id);
|
||||||
|
|
||||||
|
- n = (next_chunk - chunk) * samples;
|
||||||
|
+ n = (uint64_t) (next_chunk - chunk) * samples;
|
||||||
|
|
||||||
|
if (start_sample < n) {
|
||||||
|
goto found;
|
||||||
|
@@ -3182,7 +3183,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||||
|
"sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
|
||||||
|
start_sample, chunk, next_chunk - chunk, samples);
|
||||||
|
|
||||||
|
- n = (next_chunk - chunk) * samples;
|
||||||
|
+ n = (uint64_t) (next_chunk - chunk) * samples;
|
||||||
|
|
||||||
|
if (start_sample > n) {
|
||||||
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||||
@@ -23,6 +23,8 @@ SRC_URI = " \
|
|||||||
file://nginx.service \
|
file://nginx.service \
|
||||||
file://nginx-fix-pidfile.patch \
|
file://nginx-fix-pidfile.patch \
|
||||||
file://0001-configure-libxslt-conf.patch \
|
file://0001-configure-libxslt-conf.patch \
|
||||||
|
file://CVE-2024-7347-1.patch \
|
||||||
|
file://CVE-2024-7347-2.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
inherit siteinfo update-rc.d useradd systemd
|
inherit siteinfo update-rc.d useradd systemd
|
||||||
|
|||||||
Reference in New Issue
Block a user