-
Notifications
You must be signed in to change notification settings - Fork 734
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
nginx: Backport fix for CVE-2024-7347
Upstream-Status: Backport [nginx/nginx@88955b1 and nginx/nginx@7362d01] Signed-off-by: Ashish Sharma <[email protected]> Signed-off-by: Armin Kuster <[email protected]>
- Loading branch information
Showing
3 changed files
with
88 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-1.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| From 88955b1044ef38315b77ad1a509d63631a790a0f Mon Sep 17 00:00:00 2001 | ||
| From: Roman Arutyunyan <[email protected]> | ||
| Date: Mon, 12 Aug 2024 18:20:45 +0400 | ||
| Subject: [PATCH] Mp4: rejecting unordered chunks in stsc atom. | ||
|
|
||
| Unordered chunks could result in trak->end_chunk smaller than trak->start_chunk | ||
| in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stco_atom() | ||
| this caused buffer overread while trying to calculate trak->end_offset. | ||
|
|
||
| CVE: CVE-2024-7347 | ||
| Upstream-Status: Backport [https://github.com/nginx/nginx/commit/88955b1044ef38315b77ad1a509d63631a790a0f] | ||
| Signed-off-by: Ashish Sharma <[email protected]> | ||
|
|
||
| src/http/modules/ngx_http_mp4_module.c | 7 +++++++ | ||
| 1 file changed, 7 insertions(+) | ||
|
|
||
| diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c | ||
| index 1cd017c274..041ad263b5 100644 | ||
| --- a/src/http/modules/ngx_http_mp4_module.c | ||
| +++ b/src/http/modules/ngx_http_mp4_module.c | ||
| @@ -3156,6 +3156,13 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
|
|
||
| next_chunk = ngx_mp4_get_32value(entry->chunk); | ||
|
|
||
| + if (next_chunk < chunk) { | ||
| + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, | ||
| + "unordered mp4 stsc chunks in \"%s\"", | ||
| + mp4->file.name.data); | ||
| + return NGX_ERROR; | ||
| + } | ||
| + | ||
| ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0, | ||
| "sample:%uD, chunk:%uD, chunks:%uD, " | ||
| "samples:%uD, id:%uD", |
52 changes: 52 additions & 0 deletions
52
meta-webserver/recipes-httpd/nginx/files/CVE-2024-7347-2.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| From 7362d01658b61184108c21278443910da68f93b4 Mon Sep 17 00:00:00 2001 | ||
| From: Roman Arutyunyan <[email protected]> | ||
| Date: Mon, 12 Aug 2024 18:20:43 +0400 | ||
| Subject: [PATCH] Mp4: fixed buffer underread while updating stsz atom. | ||
|
|
||
| While cropping an stsc atom in ngx_http_mp4_crop_stsc_data(), a 32-bit integer | ||
| overflow could happen, which could result in incorrect seeking and a very large | ||
| value stored in "samples". This resulted in a large invalid value of | ||
| trak->end_chunk_samples. This value is further used to calculate the value of | ||
| trak->end_chunk_samples_size in ngx_http_mp4_update_stsz_atom(). While doing | ||
| this, a large invalid value of trak->end_chunk_samples could result in reading | ||
| memory before stsz atom start. This could potentially result in a segfault. | ||
|
|
||
| CVE: CVE-2024-7347 | ||
| Upstream-Status: Backport [https://github.com/nginx/nginx/commit/7362d01658b61184108c21278443910da68f93b4] | ||
| Signed-off-by: Ashish Sharma <[email protected]> | ||
|
|
||
| src/http/modules/ngx_http_mp4_module.c | 7 ++++--- | ||
| 1 file changed, 4 insertions(+), 3 deletions(-) | ||
|
|
||
| diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c | ||
| index 03175dea21..1cd017c274 100644 | ||
| --- a/src/http/modules/ngx_http_mp4_module.c | ||
| +++ b/src/http/modules/ngx_http_mp4_module.c | ||
| @@ -3099,7 +3099,8 @@ static ngx_int_t | ||
| ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| ngx_http_mp4_trak_t *trak, ngx_uint_t start) | ||
| { | ||
| - uint32_t start_sample, chunk, samples, id, next_chunk, n, | ||
| + uint64_t n; | ||
| + uint32_t start_sample, chunk, samples, id, next_chunk, | ||
| prev_samples; | ||
| ngx_buf_t *data, *buf; | ||
| ngx_uint_t entries, target_chunk, chunk_samples; | ||
| @@ -3160,7 +3161,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| "samples:%uD, id:%uD", | ||
| start_sample, chunk, next_chunk - chunk, samples, id); | ||
|
|
||
| - n = (next_chunk - chunk) * samples; | ||
| + n = (uint64_t) (next_chunk - chunk) * samples; | ||
|
|
||
| if (start_sample < n) { | ||
| goto found; | ||
| @@ -3182,7 +3183,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4, | ||
| "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD", | ||
| start_sample, chunk, next_chunk - chunk, samples); | ||
|
|
||
| - n = (next_chunk - chunk) * samples; | ||
| + n = (uint64_t) (next_chunk - chunk) * samples; | ||
|
|
||
| if (start_sample > n) { | ||
| ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters