Compare commits

...

No commits in common. "c8" and "c8-beta" have entirely different histories.
c8 ... c8-beta

5 changed files with 1 additions and 506 deletions

View File

@ -1,97 +0,0 @@
From fba19d6c4975c1628ce47473a72b95e4e17992b4 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Mon, 26 May 2025 15:42:55 +0200
Subject: [PATCH] h265parser: Fix max_dec_pic_buffering_minus1 bound check
Allowed max value is MaxDpbSize - 1
---
gst-libs/gst/codecparsers/gsth265parser.c | 32 ++++++++++++++++++++---
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index 2e8ef182b..200a06796 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -75,6 +75,8 @@
GST_DEBUG_CATEGORY_STATIC (h265_parser_debug);
#define GST_CAT_DEFAULT h265_parser_debug
+#define MAX_DPB_SIZE 16
+
static gboolean initialized = FALSE;
#define INITIALIZE_DEBUG_CATEGORY \
if (!initialized) { \
@@ -1506,7 +1508,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
for (i =
(vps->sub_layer_ordering_info_present_flag ? 0 :
vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) {
- READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1);
+ READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
READ_UE_MAX (&nr, vps->max_num_reorder_pics[i],
vps->max_dec_pic_buffering_minus1[i]);
READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
@@ -1702,7 +1704,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
for (i =
(sps->sub_layer_ordering_info_present_flag ? 0 :
sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) {
- READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16);
+ READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1);
READ_UE_MAX (&nr, sps->max_num_reorder_pics[i],
sps->max_dec_pic_buffering_minus1[i]);
READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1);
@@ -2107,6 +2109,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
if ((nalu->type != GST_H265_NAL_SLICE_IDR_W_RADL)
&& (nalu->type != GST_H265_NAL_SLICE_IDR_N_LP)) {
+ const GstH265ShortTermRefPicSet *ref_pic_sets = NULL;
+
READ_UINT16 (&nr, slice->pic_order_cnt_lsb,
(sps->log2_max_pic_order_cnt_lsb_minus4 + 4));
@@ -2116,21 +2120,41 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
(&slice->short_term_ref_pic_sets, &nr,
sps->num_short_term_ref_pic_sets, sps))
goto error;
+ ref_pic_sets = &slice->short_term_ref_pic_sets;
} else if (sps->num_short_term_ref_pic_sets > 1) {
const guint n = ceil_log2 (sps->num_short_term_ref_pic_sets);
READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n);
CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx,
sps->num_short_term_ref_pic_sets - 1);
+ ref_pic_sets =
+ &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx];
+ } else {
+ ref_pic_sets = &sps->short_term_ref_pic_set[0];
}
if (sps->long_term_ref_pics_present_flag) {
guint32 limit;
+ gint max_num_long_term_pics = 0;
- if (sps->num_long_term_ref_pics_sps > 0)
+ if (sps->num_long_term_ref_pics_sps > 0) {
READ_UE_MAX (&nr, slice->num_long_term_sps,
sps->num_long_term_ref_pics_sps);
+ }
+
+ /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */
+ max_num_long_term_pics =
+ /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is
+ * MaxDpbSize - 1 */
+ MAX_DPB_SIZE - 1
+ - (gint) slice->num_long_term_sps
+ - (gint) ref_pic_sets->NumNegativePics
+ - (gint) ref_pic_sets->NumPositivePics;
+ if (max_num_long_term_pics < 0) {
+ GST_WARNING ("Invalid stream, too many reference pictures");
+ goto error;
+ }
- READ_UE_MAX (&nr, slice->num_long_term_pics, 16);
+ READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics);
limit = slice->num_long_term_sps + slice->num_long_term_pics;
for (i = 0; i < limit; i++) {
if (i < slice->num_long_term_sps) {
--
2.49.0

View File

@ -1,237 +0,0 @@
From 64a0ffdc0bff2d55269c7e763824867d976506e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Sun, 14 Jun 2026 22:03:25 +0300
Subject: [PATCH] librfb: Validate framebuffer update rectangles against the
framebuffer size
Patch provided by Junyi Liu, who also reported this.
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5105
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11866>
---
gst/librfb/rfbdecoder.c | 136 +++++++++++++++++++++++++++++++++-------
1 file changed, 115 insertions(+), 21 deletions(-)
diff --git a/gst/librfb/rfbdecoder.c b/gst/librfb/rfbdecoder.c
index fa76331..efa3a84 100644
--- a/gst/librfb/rfbdecoder.c
+++ b/gst/librfb/rfbdecoder.c
@@ -45,6 +45,10 @@ static gboolean rfb_decoder_corre_encoding (RfbDecoder * decoder, gint start_x,
gint start_y, gint rect_w, gint rect_h);
static gboolean rfb_decoder_hextile_encoding (RfbDecoder * decoder,
gint start_x, gint start_y, gint rect_w, gint rect_h);
+static gboolean rfb_decoder_clip_rectangle (RfbDecoder * decoder, gint * x,
+ gint * y, gint * w, gint * h, gint * skip_x, gint * skip_y);
+static gboolean rfb_decoder_clip_copyrect (RfbDecoder * decoder, gint * dst_x,
+ gint * dst_y, gint * src_x, gint * src_y, gint * w, gint * h);
RfbDecoder *
rfb_decoder_new (void)
@@ -801,23 +805,20 @@ rfb_decoder_state_framebuffer_update_rectangle (RfbDecoder * decoder)
if (!rfb_decoder_read (decoder, 12))
return FALSE;
- x = RFB_GET_UINT16 (decoder->data + 0) - decoder->offset_x;
- y = RFB_GET_UINT16 (decoder->data + 2) - decoder->offset_y;
+ x = RFB_GET_UINT16 (decoder->data + 0);
+ y = RFB_GET_UINT16 (decoder->data + 2);
w = RFB_GET_UINT16 (decoder->data + 4);
h = RFB_GET_UINT16 (decoder->data + 6);
encoding = RFB_GET_UINT32 (decoder->data + 8);
+ x -= (gint) decoder->offset_x;
+ y -= (gint) decoder->offset_y;
+
GST_DEBUG ("update recieved");
GST_DEBUG ("x:%d y:%d", x, y);
GST_DEBUG ("w:%d h:%d", w, h);
GST_DEBUG ("encoding: %d", encoding);
- if (((w * h) + (x * y)) > (decoder->width * decoder->height)) {
- GST_ERROR ("Desktop resize is unsupported.");
- decoder->state = NULL;
- return TRUE;
- }
-
switch (encoding) {
case ENCODING_TYPE_RAW:
ret = rfb_decoder_raw_encoding (decoder, x, y, w, h);
@@ -856,11 +857,20 @@ static gboolean
rfb_decoder_raw_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
gint rect_w, gint rect_h)
{
- gint size;
+ gint copy_x, copy_y, copy_w, copy_h;
+ gint skip_x = 0, skip_y = 0;
+ guint32 size;
guint8 *frame, *p;
guint32 raw_line_size;
+ guint32 copy_line_size;
+
+ if (rect_w <= 0 || rect_h <= 0)
+ return TRUE;
raw_line_size = rect_w * decoder->bytespp;
+ if (rect_h > 0 && raw_line_size > G_MAXUINT32 / rect_h)
+ return FALSE;
+
size = rect_h * raw_line_size;
GST_DEBUG ("Reading %d bytes (%dx%d)", size, rect_w, rect_h);
@@ -868,13 +878,23 @@ rfb_decoder_raw_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
if (!rfb_decoder_read (decoder, size))
return FALSE;
+ copy_x = start_x;
+ copy_y = start_y;
+ copy_w = rect_w;
+ copy_h = rect_h;
+
+ if (!rfb_decoder_clip_rectangle (decoder, &copy_x, &copy_y, &copy_w, &copy_h,
+ &skip_x, &skip_y))
+ return TRUE;
+
frame =
- decoder->frame + (((start_y * decoder->rect_width) +
- start_x) * decoder->bytespp);
- p = decoder->data;
+ decoder->frame + (((copy_y * decoder->rect_width) +
+ copy_x) * decoder->bytespp);
+ p = decoder->data + (skip_y * raw_line_size) + (skip_x * decoder->bytespp);
+ copy_line_size = copy_w * decoder->bytespp;
- while (rect_h--) {
- memcpy (frame, p, raw_line_size);
+ while (copy_h--) {
+ memcpy (frame, p, copy_line_size);
p += raw_line_size;
frame += decoder->line_size;
}
@@ -886,7 +906,8 @@ static gboolean
rfb_decoder_copyrect_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
gint rect_w, gint rect_h)
{
- guint16 src_x, src_y;
+ gint src_x, src_y;
+ gint copy_x, copy_y, copy_w, copy_h;
gint line_width, copyrect_width;
guint8 *src, *dst;
@@ -894,20 +915,28 @@ rfb_decoder_copyrect_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
return FALSE;
/* don't forget the offset */
- src_x = RFB_GET_UINT16 (decoder->data) - decoder->offset_x;
- src_y = RFB_GET_UINT16 (decoder->data + 2) - decoder->offset_y;
+ src_x = RFB_GET_UINT16 (decoder->data) - (gint) decoder->offset_x;
+ src_y = RFB_GET_UINT16 (decoder->data + 2) - (gint) decoder->offset_y;
GST_DEBUG ("Copyrect from %d %d", src_x, src_y);
- copyrect_width = rect_w * decoder->bytespp;
+ copy_x = start_x;
+ copy_y = start_y;
+ copy_w = rect_w;
+ copy_h = rect_h;
+ if (!rfb_decoder_clip_copyrect (decoder, &copy_x, &copy_y, &src_x, &src_y,
+ &copy_w, &copy_h))
+ return TRUE;
+
+ copyrect_width = copy_w * decoder->bytespp;
line_width = decoder->line_size;
src =
decoder->prev_frame + ((src_y * decoder->rect_width) +
src_x) * decoder->bytespp;
dst =
- decoder->frame + ((start_y * decoder->rect_width) +
- start_x) * decoder->bytespp;
+ decoder->frame + ((copy_y * decoder->rect_width) +
+ copy_x) * decoder->bytespp;
- while (rect_h--) {
+ while (copy_h--) {
memcpy (dst, src, copyrect_width);
src += line_width;
dst += line_width;
@@ -925,6 +954,9 @@ rfb_decoder_fill_rectangle (RfbDecoder * decoder, gint x, gint y, gint w,
guint32 *offset;
gint i, j;
+ if (!rfb_decoder_clip_rectangle (decoder, &x, &y, &w, &h, NULL, NULL))
+ return;
+
for (i = 0; i < h; i++) {
offset =
(guint32 *) (decoder->frame + ((x + (y +
@@ -1100,6 +1132,68 @@ rfb_decoder_hextile_encoding (RfbDecoder * decoder, gint start_x, gint start_y,
return TRUE;
}
+static gboolean
+rfb_decoder_clip_rectangle (RfbDecoder * decoder, gint * x, gint * y, gint * w,
+ gint * h, gint * skip_x, gint * skip_y)
+{
+ gint x1, y1, x2, y2;
+ gint orig_x, orig_y;
+
+ if (*w <= 0 || *h <= 0)
+ return FALSE;
+
+ orig_x = *x;
+ orig_y = *y;
+ x1 = MAX (orig_x, 0);
+ y1 = MAX (orig_y, 0);
+ x2 = MIN (orig_x + *w, (gint) decoder->rect_width);
+ y2 = MIN (orig_y + *h, (gint) decoder->rect_height);
+
+ if (x2 <= x1 || y2 <= y1)
+ return FALSE;
+
+ *x = x1;
+ *y = y1;
+ *w = x2 - x1;
+ *h = y2 - y1;
+
+ if (skip_x)
+ *skip_x = x1 - orig_x;
+ if (skip_y)
+ *skip_y = y1 - orig_y;
+
+ return TRUE;
+}
+
+static gboolean
+rfb_decoder_clip_copyrect (RfbDecoder * decoder, gint * dst_x, gint * dst_y,
+ gint * src_x, gint * src_y, gint * w, gint * h)
+{
+ gint left, top, right, bottom;
+
+ if (*w <= 0 || *h <= 0)
+ return FALSE;
+
+ left = MAX (0, MAX (-*dst_x, -*src_x));
+ top = MAX (0, MAX (-*dst_y, -*src_y));
+ right = MIN (*w, MIN ((gint) decoder->rect_width - *dst_x,
+ (gint) decoder->rect_width - *src_x));
+ bottom = MIN (*h, MIN ((gint) decoder->rect_height - *dst_y,
+ (gint) decoder->rect_height - *src_y));
+
+ if (right <= left || bottom <= top)
+ return FALSE;
+
+ *dst_x += left;
+ *dst_y += top;
+ *src_x += left;
+ *src_y += top;
+ *w = right - left;
+ *h = bottom - top;
+
+ return TRUE;
+}
+
static gboolean
rfb_decoder_state_set_colour_map_entries (RfbDecoder * decoder)
{
--
2.52.0

View File

@ -1,42 +0,0 @@
From 8131f29e035f8b66d597a891a678b118d3158f29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Manuel=20J=C3=A1quez=20Leal?=
<vjaquez@igalia.com>
Date: Wed, 11 Feb 2026 22:07:49 +0100
Subject: [PATCH] libs: jpegparser: boundary checks before copying it
READ_BYTES macro reads data from a byte reader and then copy it to a storage
variable. This patch adds a validation that the length to read cannot be bigger
than the storage size.
This macro right now is used only for storage variables of guint8 arrays.
We have validated in the specification (sections F.1.2.1.2 and F.1.2.2.1 in ITU
T.81) that Huffman tables (both AC and DC) aren't bigger than 256.
Fixes SA-2026-0003, CVE-2026-3082, ZDI-CAN-28840.
Fixes: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4899>
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/10885>
---
gst-libs/gst/codecparsers/gstjpegparser.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/gst-libs/gst/codecparsers/gstjpegparser.c b/gst-libs/gst/codecparsers/gstjpegparser.c
index 64110763f..86125b374 100644
--- a/gst-libs/gst/codecparsers/gstjpegparser.c
+++ b/gst-libs/gst/codecparsers/gstjpegparser.c
@@ -79,6 +79,10 @@ ensure_debug_category (void)
#define READ_BYTES(reader, buf, length) G_STMT_START { \
const guint8 *vals; \
+ if (length > sizeof (buf)) { \
+ GST_WARNING ("data size is bigger than its storage"); \
+ goto failed; \
+ } \
if (!gst_byte_reader_get_data (reader, length, &vals)) { \
GST_WARNING ("failed to read bytes, size:%d", length); \
goto failed; \
--
2.53.0

View File

@ -1,102 +0,0 @@
From 7087e0683b53a10492d9b7cc0bbfd7876a333e06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 16 Jun 2026 10:30:54 +0300
Subject: [PATCH] vnmdec: Avoid integer overflows when rectangle positions and
sizes
Patch based on a patch by Junyi Liu, who also reported this.
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5107
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/11869>
---
gst/vmnc/vmncdec.c | 40 ++++++++++++++++++++++++++++++++--------
1 file changed, 32 insertions(+), 8 deletions(-)
diff --git a/gst/vmnc/vmncdec.c b/gst/vmnc/vmncdec.c
index cbbaeb6..fe26d47 100644
--- a/gst/vmnc/vmncdec.c
+++ b/gst/vmnc/vmncdec.c
@@ -153,6 +153,20 @@ struct RfbRectangle
typedef int (*rectangle_handler) (GstVMncDec * dec, struct RfbRectangle * rect,
const guint8 * data, int len, gboolean decode);
+static gboolean
+vmnc_rect_payload_size (struct RfbRectangle *rect, guint bytes_per_pixel,
+ gsize * size)
+{
+ gsize pixels;
+
+ if (!g_size_checked_mul (&pixels, rect->width, rect->height))
+ return FALSE;
+ if (!g_size_checked_mul (size, pixels, bytes_per_pixel))
+ return FALSE;
+
+ return TRUE;
+}
+
static int
vmnc_handle_wmvi_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
const guint8 * data, int len, gboolean decode)
@@ -393,7 +407,8 @@ vmnc_handle_wmvd_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
{
/* Cursor data. */
int datalen = 2;
- int type, size;
+ int type;
+ gsize size;
if (len < datalen) {
GST_LOG_OBJECT (dec, "Cursor data too short");
@@ -403,9 +418,19 @@ vmnc_handle_wmvd_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
type = RFB_GET_UINT8 (data);
if (type == CURSOR_COLOUR) {
- datalen += rect->width * rect->height * dec->format.bytes_per_pixel * 2;
+ if (!vmnc_rect_payload_size (rect, dec->format.bytes_per_pixel, &size) ||
+ size > ((gsize) G_MAXINT - datalen) / 2) {
+ GST_WARNING_OBJECT (dec, "Cursor data size overflow");
+ return ERROR_INVALID;
+ }
+ datalen += size * 2;
} else if (type == CURSOR_ALPHA) {
- datalen += rect->width * rect->height * 4;
+ if (!vmnc_rect_payload_size (rect, 4, &size) ||
+ size > (gsize) G_MAXINT - datalen) {
+ GST_WARNING_OBJECT (dec, "Cursor data size overflow");
+ return ERROR_INVALID;
+ }
+ datalen += size;
} else {
GST_WARNING_OBJECT (dec, "Unknown cursor type: %d", type);
return ERROR_INVALID;
@@ -420,22 +445,21 @@ vmnc_handle_wmvd_rectangle (GstVMncDec * dec, struct RfbRectangle *rect,
dec->cursor.type = type;
dec->cursor.width = rect->width;
dec->cursor.height = rect->height;
- dec->cursor.type = type;
dec->cursor.hot_x = rect->x;
dec->cursor.hot_y = rect->y;
g_free (dec->cursor.cursordata);
g_free (dec->cursor.cursormask);
- if (type == 0) {
- size = rect->width * rect->height * dec->format.bytes_per_pixel;
+ if (type == CURSOR_COLOUR) {
dec->cursor.cursordata = g_malloc (size);
dec->cursor.cursormask = g_malloc (size);
memcpy (dec->cursor.cursordata, data + 2, size);
memcpy (dec->cursor.cursormask, data + 2 + size, size);
} else {
- dec->cursor.cursordata = g_malloc (rect->width * rect->height * 4);
- memcpy (dec->cursor.cursordata, data + 2, rect->width * rect->height * 4);
+ dec->cursor.cursordata = g_malloc (size);
+ memcpy (dec->cursor.cursordata, data + 2, size);
+ dec->cursor.cursormask = NULL;
}
return datalen;
--
2.52.0

View File

@ -14,7 +14,7 @@
Name: gstreamer1-plugins-bad-free
Version: 1.16.1
Release: 8%{?gitcommit:.git%{shortcommit}}%{?dist}
Release: 4%{?gitcommit:.git%{shortcommit}}%{?dist}
Summary: GStreamer streaming media framework "bad" plugins
License: LGPLv2+ and LGPLv2
@ -36,12 +36,6 @@ Patch0: 0001-mxfdemux-Store-GstMXFDemuxEssenceTrack-in-their-own-.patch
Patch1: 0003-mxfdemux-Fix-integer-overflow-causing-out-of-bounds-.patch
Patch2: 0004-mxfdemux-Check-number-of-channels-for-AES3-audio.patch
Patch3: 0005-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
Patch4: 0001-h265parser-Fix-max_dec_pic_buffering_minus1-bound-ch.patch
Patch5: 0001-libs-jpegparser-boundary-checks-before-copying-it.patch
# https://github.com/GStreamer/gstreamer/commit/6c146775d784bbe91ff7afc6701ba351306282ce
Patch6: 0001-vnmdec-Avoid-integer-overflows-when-rectangle-positi.patch
# https://github.com/GStreamer/gstreamer/commit/f3b66928a194b32b27fac3c3379d3d20e5966442
Patch7: 0001-librfb-Validate-framebuffer-update-rectangles-agains.patch
BuildRequires: gstreamer1-devel >= %{version}
BuildRequires: gstreamer1-plugins-base-devel >= %{version}
@ -198,10 +192,6 @@ aren't tested well enough, or the code is not of good enough quality.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
%configure --disable-silent-rules --disable-fatal-warnings \
@ -490,23 +480,6 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -fv {} ';'
%changelog
* Wed Jul 08 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1.16.1-8
- Fix for CVE-2026-52720: librfb framebuffer update rectangle
validation
Resolves: RHEL-184455
* Mon Jun 22 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 1.16.1-7
- Fix integer overflow in vmncdec (CVE-2026-52722)
Resolves: RHEL-184414
* Tue Mar 31 2026 Wim Taymans <wtaymans@redhat.com> - 1.16.1-6
- Add patch for CVE-2026-3082
Resolves: RHEL-156202
* Mon May 26 2025 Wim Taymans <wtaymans@redhat.com> - 1.16.1-5
- fix for CVE-2025-3887
Resolves: RHEL-93051
* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.16.1-4
- Patch CVE-2023-40474: Integer overflow
- Patch CVE-2023-40475: Integer overflow