diff options
author | Maxim Dounin <mdounin@mdounin.ru> | 2022-06-07 21:58:52 +0300 |
---|---|---|
committer | Maxim Dounin <mdounin@mdounin.ru> | 2022-06-07 21:58:52 +0300 |
commit | 80fc2ddf57558ec43b94220ce2d3d88e2e470c75 (patch) | |
tree | c7312f07d2d6fe3e055dfd815e1f61f68843dc7f | |
parent | f08dbefadf083b8546423e35d8d12ba27e46efa8 (diff) | |
download | nginx-80fc2ddf57558ec43b94220ce2d3d88e2e470c75.tar.gz |
Mp4: fixed potential overflow in ngx_http_mp4_crop_stts_data().
Both "count" and "duration" variables are 32-bit, so their product might
potentially overflow. It is used to reduce 64-bit start_time variable,
and with very large start_time this can result in incorrect seeking.
Found by Coverity (CID 1499904).
-rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index 9c3f627fe..5721efbe6 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -2331,7 +2331,7 @@ ngx_http_mp4_crop_stts_data(ngx_http_mp4_file_t *mp4, } start_sample += count; - start_time -= count * duration; + start_time -= (uint64_t) count * duration; entries--; entry++; } |