43 lines
1.8 KiB
Diff
43 lines
1.8 KiB
Diff
From 6780451f22c87e926ebf60fe55e1a9e10517f6d1 Mon Sep 17 00:00:00 2001
|
|
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
|
|
Date: Wed, 9 Aug 2023 12:49:19 -0400
|
|
Subject: [PATCH 4/4] h265parser: Fix possible overflow using
|
|
max_sub_layers_minus1
|
|
|
|
This fixes a possible overflow that can be triggered by an invalid value of
|
|
max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
|
|
but the allowed range is 0 to 6 only.
|
|
|
|
Fixes ZDI-CAN-21768, CVE-2023-40476
|
|
|
|
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
|
|
---
|
|
.../gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
|
|
index fe775a86cd..44b723737a 100644
|
|
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
|
|
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
|
|
@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
|
|
|
|
READ_UINT8 (&nr, vps->max_layers_minus1, 6);
|
|
READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
|
|
+ CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
|
|
READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
|
|
|
|
/* skip reserved_0xffff_16bits */
|
|
@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
|
|
READ_UINT8 (&nr, sps->vps_id, 4);
|
|
|
|
READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
|
|
+ CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
|
|
READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
|
|
|
|
if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
|
|
--
|
|
2.43.0
|
|
|