fix CVE-2024-7347

(cherry picked from commit db6d103bba765a0537411f1ae8ad762f0c68bd42)
2024-08-28 08:20:05 +08:00 · 2024-08-28 08:20:05 +08:00 · 5bd5a6792f
commit 5bd5a6792f
parent d04ce73cf2
2 changed files with 49 additions and 1 deletions
--- a/backport-CVE-2024-7347.patch
+++ b/backport-CVE-2024-7347.patch
@ -0,0 +1,43 @@
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3099,7 +3099,8 @@ static ngx_int_t
+ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
+ {
+-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
+    uint64_t               n;
+    uint32_t               start_sample, chunk, samples, id, next_chunk,
+                            prev_samples;
+     ngx_buf_t             *data, *buf;
+     ngx_uint_t             entries, target_chunk, chunk_samples;
+@@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
+ 
+         next_chunk = ngx_mp4_get_32value(entry->chunk);
+ 
+        if (next_chunk < chunk) {
+            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                          "unordered mp4 stsc chunks in \"%s\"",
+                          mp4->file.name.data);
+            return NGX_ERROR;
+        }
+
+         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
+                        "sample:%uD, chunk:%uD, chunks:%uD, "
+                        "samples:%uD, id:%uD",
+                        start_sample, chunk, next_chunk - chunk, samples, id);
+ 
+-        n = (next_chunk - chunk) * samples;
+        n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+         if (start_sample < n) {
+             goto found;
+@@ -3182,7 +3190,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
+                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
+                    start_sample, chunk, next_chunk - chunk, samples);
+ 
+-    n = (next_chunk - chunk) * samples;
+    n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+     if (start_sample > n) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
--- a/nginx.spec
+++ b/nginx.spec
@ -17,7 +17,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.21.5
-Release:           6
+Release:           7
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@ -41,6 +41,8 @@ Patch1:            nginx-1.12.1-logs-perm.patch
 Patch2:            nginx-fix-pidfile.patch
 Patch3:            backport-CVE-2022-41742_CVE-2022-41741.patch
 Patch4:            backport-CVE-2023-44487.patch
+# https://nginx.org/download/patch.2024.mp4.txt
+Patch5:            backport-CVE-2024-7347.patch

 BuildRequires:     gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} openssl
@ -389,6 +391,9 @@ fi
 %{_mandir}/man8/nginx.8*

 %changelog
+* Thu Aug 15 2024 Funda Wang <fundawang@yeah.net> - 1:1.21.5-7
+- fix CVE-2024-7347
+
 * Thu Oct 19 2023 yanglu <yanglu72@h-partners.com> - 1:1.21.5-6
 - fix CVE-2023-44487