gstreamer1-plugins-bad-free/0003-av1parser-Fix-array-sizes-in-scalability-structure.patch
Wim Taymans 2500c13331 CVE-2023-40474: Integer overflow leading to heap overwrite in MXF
CVE-2023-40475: Integer overflow leading to heap overwrite in MXF
CVE-2023-40476: Integer overflow in H.265 video parser
ZDI-CAN-22300: buffer overflow vulnerability
Resolves: RHEL-19501, RHEL-19505, RHEL-19506, RHEL-20201
2024-01-17 15:21:26 +01:00

67 lines
3.2 KiB
Diff

From 0ded5a6d028ad40604093690c44eb022ef793531 Mon Sep 17 00:00:00 2001
From: Seungha Yang <seungha@centricular.com>
Date: Thu, 23 Nov 2023 20:24:42 +0900
Subject: [PATCH 3/4] av1parser: Fix array sizes in scalability structure
Since the AV1 specification is not explicitly mentioning about
the array size bounds, array sizes in scalability structure
should be defined as possible maximum sizes that can have.
Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
public header which is API break but the define is misleading
and this patch is introducing ABI break already
ZDI-CAN-22300
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5824>
---
.../gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------
.../gst-plugins-bad/gst/videoparsers/gstav1parse.c | 2 +-
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
index a5f1c761f6..7d2ec69fb5 100644
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gstav1parser.h
@@ -71,9 +71,8 @@ G_BEGIN_DECLS
#define GST_AV1_MAX_TILE_COUNT 512
#define GST_AV1_MAX_OPERATING_POINTS \
(GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
-#define GST_AV1_MAX_SPATIAL_LAYERS 2 /* correct? */
-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 8 /* correct? */
-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 8 /* correct? */
+#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE 255
+#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES 7
#define GST_AV1_MAX_NUM_Y_POINTS 16
#define GST_AV1_MAX_NUM_CB_POINTS 16
#define GST_AV1_MAX_NUM_CR_POINTS 16
@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
gboolean spatial_layer_dimensions_present_flag;
gboolean spatial_layer_description_present_flag;
gboolean temporal_group_description_present_flag;
- guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
- guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
- guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
+ guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+ guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+ guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
guint8 temporal_group_size;
guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
diff --git a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
index 923bc5d70a..9eaa1f47d9 100644
--- a/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
+++ b/subprojects/gst-plugins-bad/gst/videoparsers/gstav1parse.c
@@ -1271,7 +1271,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu)
}
val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
- for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
+ for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
if (val & (1 << i))
self->highest_spatial_id = i;
}
--
2.43.0