Hello! On Thu, Aug 22, 2024 at 11:19:58PM -0500, skull-squadron wrote:
> # HG changeset patch > # User skull-squadron <[email protected]> > # Date 1724385465 18000 > # Thu Aug 22 22:57:45 2024 -0500 > # Node ID 045b92ed3e5a79153363cdae44278eb149fee6c2 > # Parent cf73b65983c2d093f5b6651f8b45b9973a68e9f5 > MP4 32-bit chunk size buffer overrun fix per the corporatists (CVE-2024-7347 > 2024-08-14) [...] I've recently posted a better patch, see here: https://freenginx.org/pipermail/nginx-devel/2024-August/000474.html Please take a look if it works for you. As for the changes committed into F5 NGINX and the CVE assigned, here are some thoughts, in no particular order: - There are two clearly distinct issues here. If at all, CVE numbers should be assigned to both of them. - The real issues happen elsewhere. And, following existing array access sanity checks, it might be a better idea to actually check the array element is within the array just before access, and avoid any assumptions about mp4-derived data. That is what the patch referenced above does. - While adding sanity checks in stsc atom handling might be beneficial, they shouldn't be relied upon. And there are other similar places to consider, such as potential overflows during stts atom handling, which can result in arbitrary trak->start_sample and trak->end_sample values. Similarly, there are other data issues to consider as well, such as chunks with zero samples per chunk in stsc atoms. Hope this helps. -- Maxim Dounin http://mdounin.ru/
