Merge commit 'b744819abaa570b0f21ee245765861bc35b92ee2' into dev

src/deps/src/nginx/.hgtags

@@ -479,3 +479,4 @@ f8134640e8615448205785cf00b0bc810489b495 release-1.25.1
 173a0a7dbce569adbb70257c6ec4f0f6bc585009 release-1.25.4
 8618e4d900cc71082fbe7dc72af087937d64faf5 release-1.25.5
 a58202a8c41bf0bd97eef1b946e13105a105520d release-1.26.0
+a63c124e34bcf2d1d1feb8d40ff075103b967c4c release-1.26.1

src/deps/src/nginx/docs/xml/nginx/changes.xml

@@ -5,6 +5,24 @@
 <change_log title="nginx">
 
 
+<changes ver="1.26.2" date="2024-08-14">
+
+<change type="security">
+<para lang="ru">
+обработка специально созданного mp4-файла модулем ngx_http_mp4_module
+могла приводить к падению рабочего процесса (CVE-2024-7347).<br/>
+Спасибо Nils Bars.
+</para>
+<para lang="en">
+processing of a specially crafted mp4 file by the ngx_http_mp4_module
+might cause a worker process crash (CVE-2024-7347).<br/>
+Thanks to Nils Bars.
+</para>
+</change>
+
+</changes>
+
+
 <changes ver="1.26.1" date="2024-05-29">
 
 <change type="security">
@@ -39,12 +57,12 @@ if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
 <change type="bugfix">
 <para lang="ru">
 nginx не собирался gcc 14,
-если использовался параметр --with-atomic.<br/>
+если использовался параметр --with-libatomic.<br/>
 Спасибо Edgar Bonet.
 </para>
 <para lang="en">
 nginx could not be built by gcc 14
-if the --with-atomic option was used.<br/>
+if the --with-libatomic option was used.<br/>
 Thanks to Edgar Bonet.
 </para>
 </change>

src/deps/src/nginx/misc/GNUmakefile

@@ -6,7 +6,7 @@ TEMP =		tmp
 
 CC =		cl
 OBJS =		objs.msvc8
-OPENSSL =	openssl-3.0.13
+OPENSSL =	openssl-3.0.14
 ZLIB =		zlib-1.3.1
 PCRE =		pcre2-10.39
 

src/deps/src/nginx/src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1026001
-#define NGINX_VERSION      "1.26.1"
+#define nginx_version      1026002
+#define NGINX_VERSION      "1.26.2"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/deps/src/nginx/src/http/modules/ngx_http_mp4_module.c

@@ -3099,7 +3099,8 @@ static ngx_int_t
 ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
     ngx_http_mp4_trak_t *trak, ngx_uint_t start)
 {
-    uint32_t               start_sample, chunk, samples, id, next_chunk, n,
+    uint64_t               n;
+    uint32_t               start_sample, chunk, samples, id, next_chunk,
                            prev_samples;
     ngx_buf_t             *data, *buf;
     ngx_uint_t             entries, target_chunk, chunk_samples;
@@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
 
         next_chunk = ngx_mp4_get_32value(entry->chunk);
 
+        if (next_chunk < chunk) {
+            ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
+                          "unordered mp4 stsc chunks in \"%s\"",
+                          mp4->file.name.data);
+            return NGX_ERROR;
+        }
+
         ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
                        "sample:%uD, chunk:%uD, chunks:%uD, "
                        "samples:%uD, id:%uD",
                        start_sample, chunk, next_chunk - chunk, samples, id);
 
-        n = (next_chunk - chunk) * samples;
+        n = (uint64_t) (next_chunk - chunk) * samples;
 
         if (start_sample < n) {
             goto found;
@@ -3182,7 +3190,7 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
                    "sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
                    start_sample, chunk, next_chunk - chunk, samples);
 
-    n = (next_chunk - chunk) * samples;
+    n = (uint64_t) (next_chunk - chunk) * samples;
 
     if (start_sample > n) {
         ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,