fix size_t overflow when pos_align is larger than filesize, it causes…

… buffer_size is set to negative number, mall() will fail and coredump
whatvn · May 27, 2015 · 344538d · 344538d
1 parent 1518ab3
commit 344538d
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/config b/config
@@ -1,5 +1,6 @@
-CORE_LIBS="$CORE_LIBS -lswresample -lavformat -lavcodec -lavutil -lavcodec -lavfilter -lrt -lswscale -lz -lm -lbz2 -lfdk-aac -lx264"
+CORE_LIBS="$CORE_LIBS -I /data/include -L /data/lib -lswresample -lavformat -lavcodec -lavutil -lavcodec -lavresample -lavfilter -lrt -lswscale -lz -lm -lbz2 -lfdk-aac
+    /data/lib/libavcodec.a  /data/lib/libavdevice.a  /data/lib/libavfilter.a  /data/lib/libavformat.a  /data/lib/libavresample.a  /data/lib/libavutil.a  /data/lib/libpostproc.a  /data/lib/libswresample.a  /data/lib/libswscale.a /data/lib/libx264.a /data/lib/libfdk-aac.a"
 ngx_addon_name=ngx_http_estreaming_module
 HTTP_AUX_FILTER_MODULES="$HTTP_AUX_FILTER_MODULES ngx_http_estreaming_module"
 CFLAGS="$CFLAGS -ggdb -D_DEBUG -D_LARGEFILE_SOURCE"
-NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/src/ngx_http_estreaming_module.c"
+NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/src/ngx_http_estreaming_module.c"
diff --git a/src/mp4_io.h b/src/mp4_io.h
@@ -638,6 +638,9 @@ static ngx_int_t mp4_read(mp4_context_t *mp4_context, u_char **buffer, size_t si
     if(pos != pos_align) mp4_context->buffer_size += 4096;
 
     if(pos_align + (off_t)mp4_context->buffer_size > mp4_context->filesize) {
+        if(mp4_context->buffer_size - pos_align < 0) {
+            return NGX_ERROR;
+        }
         mp4_context->buffer_size = (size_t)(mp4_context->filesize - pos_align);
     }
 
@@ -765,7 +768,6 @@ static void mp4_context_exit(struct mp4_context_t *mp4_context) {
 static mp4_context_t *mp4_open(ngx_http_request_t *r, ngx_file_t *file, int64_t filesize, mp4_open_flags flags) {
   mp4_context_t *mp4_context = mp4_context_init(r, file, filesize);
   if(!mp4_context) return 0;
-
   while(!mp4_context->moov_atom.size_ || !mp4_context->mdat_atom.size_) {
     struct mp4_atom_t leaf_atom;
 

diff --git a/src/ngx_http_adaptive_streaming.h b/src/ngx_http_adaptive_streaming.h
@@ -801,4 +801,14 @@ int ngx_estreaming_adaptive_bitrate(ngx_http_request_t *req, ngx_chain_t *chain,
     //        av_freep(exchange_area_read);
     //    }
     return ret ? 1 : 0;
-}
+}
+
+//static ngx_str_t *ngx_http_estreaming_create_str(ngx_http_request_t *req, uint len) {
+//    ngx_str_t *aux = (ngx_str_t *) ngx_pcalloc(req->pool, sizeof(ngx_str_t) + len + 1);
+//    if (aux != NULL) {
+//        aux->data = (u_char *) (aux + 1);
+//        aux->len = len;
+//        ngx_memset(aux->data, '\0', len + 1);
+//    }
+//    return aux;
+//}