mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
9310c3b1a4
Pick patch from [1] which mentioned in debian report with [2] [1] https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018 [2] https://security-tracker.debian.org/tracker/CVE-2026-27784 More details: https://nvd.nist.gov/vuln/detail/CVE-2026-27784 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
89 lines
4.3 KiB
Diff
89 lines
4.3 KiB
Diff
From b23ac73b00313d159a99636c21ef71b828781018 Mon Sep 17 00:00:00 2001
|
|
From: Roman Arutyunyan <arut@nginx.com>
|
|
Date: Mon, 2 Mar 2026 21:12:34 +0400
|
|
Subject: [PATCH] Mp4: fixed possible integer overflow on 32-bit platforms.
|
|
|
|
Previously, a 32-bit overflow could happen while validating atom entries
|
|
count. This allowed processing of an invalid atom with entrires beyond
|
|
its boundaries with reads and writes outside of the allocated mp4 buffer.
|
|
|
|
Reported by Prabhav Srinath (sprabhav7).
|
|
|
|
CVE: CVE-2026-27784
|
|
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/b23ac73b00313d159a99636c21ef71b828781018]
|
|
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
|
---
|
|
src/http/modules/ngx_http_mp4_module.c | 14 +++++++-------
|
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
|
|
index 041ad26..a7f8be7 100644
|
|
--- a/src/http/modules/ngx_http_mp4_module.c
|
|
+++ b/src/http/modules/ngx_http_mp4_module.c
|
|
@@ -2294,7 +2294,7 @@ ngx_http_mp4_read_stts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
|
"mp4 time-to-sample entries:%uD", entries);
|
|
|
|
if (ngx_mp4_atom_data_size(ngx_mp4_stts_atom_t)
|
|
- + entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
|
|
+ + (uint64_t) entries * sizeof(ngx_mp4_stts_entry_t) > atom_data_size)
|
|
{
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"\"%s\" mp4 stts atom too small", mp4->file.name.data);
|
|
@@ -2597,7 +2597,7 @@ ngx_http_mp4_read_stss_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
|
atom->last = atom_table;
|
|
|
|
if (ngx_mp4_atom_data_size(ngx_http_mp4_stss_atom_t)
|
|
- + entries * sizeof(uint32_t) > atom_data_size)
|
|
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
|
|
{
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"\"%s\" mp4 stss atom too small", mp4->file.name.data);
|
|
@@ -2802,7 +2802,7 @@ ngx_http_mp4_read_ctts_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
|
atom->last = atom_table;
|
|
|
|
if (ngx_mp4_atom_data_size(ngx_mp4_ctts_atom_t)
|
|
- + entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
|
|
+ + (uint64_t) entries * sizeof(ngx_mp4_ctts_entry_t) > atom_data_size)
|
|
{
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"\"%s\" mp4 ctts atom too small", mp4->file.name.data);
|
|
@@ -2984,7 +2984,7 @@ ngx_http_mp4_read_stsc_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
|
"sample-to-chunk entries:%uD", entries);
|
|
|
|
if (ngx_mp4_atom_data_size(ngx_mp4_stsc_atom_t)
|
|
- + entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
|
|
+ + (uint64_t) entries * sizeof(ngx_mp4_stsc_entry_t) > atom_data_size)
|
|
{
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"\"%s\" mp4 stsc atom too small", mp4->file.name.data);
|
|
@@ -3362,7 +3362,7 @@ ngx_http_mp4_read_stsz_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
|
|
|
if (size == 0) {
|
|
if (ngx_mp4_atom_data_size(ngx_mp4_stsz_atom_t)
|
|
- + entries * sizeof(uint32_t) > atom_data_size)
|
|
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
|
|
{
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"\"%s\" mp4 stsz atom too small",
|
|
@@ -3521,7 +3521,7 @@ ngx_http_mp4_read_stco_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
|
|
|
|
if (ngx_mp4_atom_data_size(ngx_mp4_stco_atom_t)
|
|
- + entries * sizeof(uint32_t) > atom_data_size)
|
|
+ + (uint64_t) entries * sizeof(uint32_t) > atom_data_size)
|
|
{
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"\"%s\" mp4 stco atom too small", mp4->file.name.data);
|
|
@@ -3737,7 +3737,7 @@ ngx_http_mp4_read_co64_atom(ngx_http_mp4_file_t *mp4, uint64_t atom_data_size)
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, "chunks:%uD", entries);
|
|
|
|
if (ngx_mp4_atom_data_size(ngx_mp4_co64_atom_t)
|
|
- + entries * sizeof(uint64_t) > atom_data_size)
|
|
+ + (uint64_t) entries * sizeof(uint64_t) > atom_data_size)
|
|
{
|
|
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
|
"\"%s\" mp4 co64 atom too small", mp4->file.name.data);
|
|
--
|
|
2.50.1
|
|
|