2500c13331
CVE-2023-40475: Integer overflow leading to heap overwrite in MXF CVE-2023-40476: Integer overflow in H.265 video parser ZDI-CAN-22300: buffer overflow vulnerability Resolves: RHEL-19501, RHEL-19505, RHEL-19506, RHEL-20201
67 lines
3.2 KiB
Diff
67 lines
3.2 KiB
Diff
From 0ded5a6d028ad40604093690c44eb022ef793531 Mon Sep 17 00:00:00 2001
|
|
From: Seungha Yang <seungha@centricular.com>
|
|
Date: Thu, 23 Nov 2023 20:24:42 +0900
|
|
Subject: [PATCH 3/4] av1parser: Fix array sizes in scalability structure
|
|
|
|
Since the AV1 specification is not explicitly mentioning about
|
|
the array size bounds, array sizes in scalability structure
|
|
should be defined as possible maximum sizes that can have.
|
|
|
|
Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
|
|
public header which is API break but the define is misleading
|
|
and this patch is introducing ABI break already
|
|
|
|
ZDI-CAN-22300
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5824>
|
|
---
|
|
.../gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------
|
|
.../gst-plugins-bad/gst/videoparsers/gstav1parse.c | 2 +-
|
|
2 files changed, 6 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
|
|
index a5f1c761f6..7d2ec69fb5 100644
|
|
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
|
|
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
|
|
@@ -71,9 +71,8 @@ G_BEGIN_DECLS
|
|
#define GST_AV1_MAX_TILE_COUNT 512
|
|
#define GST_AV1_MAX_OPERATING_POINTS \
|
|
(GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
|
|
-#define GST_AV1_MAX_SPATIAL_LAYERS 2 /* correct? */
|
|
-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 8 /* correct? */
|
|
-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 8 /* correct? */
|
|
+#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 255
|
|
+#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 7
|
|
#define GST_AV1_MAX_NUM_Y_POINTS 16
|
|
#define GST_AV1_MAX_NUM_CB_POINTS 16
|
|
#define GST_AV1_MAX_NUM_CR_POINTS 16
|
|
@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
|
|
gboolean spatial_layer_dimensions_present_flag;
|
|
gboolean spatial_layer_description_present_flag;
|
|
gboolean temporal_group_description_present_flag;
|
|
- guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
|
|
- guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
|
|
- guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
|
|
+ guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
|
|
+ guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
|
|
+ guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
|
|
guint8 temporal_group_size;
|
|
|
|
guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
|
|
diff --git a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
|
|
index 923bc5d70a..9eaa1f47d9 100644
|
|
--- a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
|
|
+++ b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
|
|
@@ -1271,7 +1271,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu)
|
|
}
|
|
|
|
val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
|
|
- for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
|
|
+ for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
|
|
if (val & (1 << i))
|
|
self->highest_spatial_id = i;
|
|
}
|
|
--
|
|
2.43.0
|
|
|