From c9fdd20b198a8ba3d3f8d1ed597a3a564cb7a965 Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Wed, 28 Aug 2024 08:20:05 +0800
Subject: [PATCH] fix CVE-2024-7347

(cherry picked from commit db6d103bba765a0537411f1ae8ad762f0c68bd42)
---
 backport-CVE-2024-7347.patch | 43 ++++++++++++++++++++++++++++++++++++
 nginx.spec                   |  7 +++++-
 2 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-7347.patch

diff --git a/backport-CVE-2024-7347.patch b/backport-CVE-2024-7347.patch
new file mode 100644
index 0000000..d4e44c8
--- /dev/null
+++ b/backport-CVE-2024-7347.patch
@@ -0,0 +1,43 @@
+diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
+--- a/src/http/modules/ngx_http_mp4_module.c
++++ b/src/http/modules/ngx_http_mp4_module.c
+@@ -3099,7 +3099,8 @@ static ngx_int_t
+ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
+     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
+ {
+-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
++    uint64_t               n;
++    uint32_t               start_sample, chunk, samples, id, next_chunk,
+                            prev_samples;
+     ngx_buf_t             *data, *buf;
+     ngx_uint_t             entries, target_chunk, chunk_samples;
+@@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
+ 
+         next_chunk = ngx_mp4_get_32value(entry->chunk);
+ 
++        if (next_chunk < chunk) {
++            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
++                          "unordered mp4 stsc chunks in \"%s\"",
++                          mp4->file.name.data);
++            return NGX_ERROR;
++        }
++
+         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
+                        "sample:%uD, chunk:%uD, chunks:%uD, "
+                        "samples:%uD, id:%uD",
+                        start_sample, chunk, next_chunk - chunk, samples, id);
+ 
+-        n = (next_chunk - chunk) * samples;
++        n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+         if (start_sample < n) {
+             goto found;
+@@ -3182,7 +3190,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4
+                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
+                    start_sample, chunk, next_chunk - chunk, samples);
+ 
+-    n = (next_chunk - chunk) * samples;
++    n = (uint64_t) (next_chunk - chunk) * samples;
+ 
+     if (start_sample > n) {
+         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
diff --git a/nginx.spec b/nginx.spec
index 1e4948c..61a7e87 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -17,7 +17,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.21.5
-Release:           6
+Release:           7
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@@ -41,6 +41,8 @@ Patch1:            nginx-1.12.1-logs-perm.patch
 Patch2:            nginx-fix-pidfile.patch
 Patch3:            backport-CVE-2022-41742_CVE-2022-41741.patch
 Patch4:            backport-CVE-2023-44487.patch
+# https://nginx.org/download/patch.2024.mp4.txt
+Patch5:            backport-CVE-2024-7347.patch
 
 BuildRequires:     gcc openssl-devel pcre2-devel zlib-devel systemd gperftools-devel
 Requires:          nginx-filesystem = %{epoch}:%{version}-%{release} openssl
@@ -389,6 +391,9 @@ fi
 %{_mandir}/man8/nginx.8*
 
 %changelog
+* Thu Aug 15 2024 Funda Wang <fundawang@yeah.net> - 1:1.21.5-7
+- fix CVE-2024-7347
+
 * Thu Oct 19 2023 yanglu <yanglu72@h-partners.com> - 1:1.21.5-6
 - fix CVE-2023-44487
 
-- 
Gitee