CVE-2021-30014_CVE-2021-30020_CVE-2021-30022

Backport of

From 51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Mon, 29 Mar 2021 09:34:02 +0200
Subject: [PATCH] add safety in avc/hevc/vvc sps/pps/vps ID check - cf #1720
 #1721 #1722

Gbp-Pq: Name CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch

diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c
index 3d7520f0c9760d39574883712833d38e791020f9..6fb3d6f8d517eabf65f70fcaeaf10a9358bd2081 100644 (file)
--- a/src/media_tools/av_parsers.c
+++ b/src/media_tools/av_parsers.c
@@ -5012,10 +5012,7 @@ static s32 gf_media_avc_read_sps_bs_internal(GF_BitStream *bs, AVCState *avc, u3
        by subset SPS. According to the SVC standard, subset SPS can have the same sps_id
        than its base layer, but it does not refer to the same SPS. */
        sps_id = gf_bs_get_ue(bs) + GF_SVC_SSPS_ID_SHIFT * subseq_sps;
-       if (sps_id >= 32) {
-               return -1;
-       }
-       if (sps_id < 0) {
+       if ((sps_id < 0) || (sps_id >= 32)) {
                return -1;
        }
 
@@ -5342,7 +5339,7 @@ static s32 gf_media_avc_read_pps_bs_internal(GF_BitStream *bs, AVCState *avc, u3
                /*nal_hdr = */gf_bs_read_u8(bs);
        }
        pps_id = gf_bs_get_ue(bs);
-       if (pps_id >= 255) {
+       if ((pps_id<0) || (pps_id >= 255)) {
                return -1;
        }
        pps = &avc->pps[pps_id];
@@ -5350,7 +5347,7 @@ static s32 gf_media_avc_read_pps_bs_internal(GF_BitStream *bs, AVCState *avc, u3
 
        if (!pps->status) pps->status = 1;
        pps->sps_id = gf_bs_get_ue(bs);
-       if (pps->sps_id >= 32) {
+       if ((pps->sps_id<0) || (pps->sps_id >= 32)) {
                pps->sps_id = 0;
                return -1;
        }
@@ -6595,7 +6592,7 @@ s32 hevc_parse_slice_segment(GF_BitStream *bs, HEVCState *hevc, HEVCSliceInfo *s
        }
 
        pps_id = gf_bs_get_ue(bs);
-       if (pps_id >= 64)
+       if ((pps_id<0) || (pps_id >= 64))
                return -1;
 
        pps = &hevc->pps[pps_id];
@@ -7409,7 +7406,7 @@ static s32 gf_media_hevc_read_vps_bs_internal(GF_BitStream *bs, HEVCState *hevc,
        //nalu header already parsed
        vps_id = gf_bs_read_int(bs, 4);
 
-       if (vps_id >= 16) return -1;
+       if ((vps_id<0) || (vps_id >= 16)) return -1;
 
        vps = &hevc->vps[vps_id];
        vps->bit_pos_vps_extensions = -1;
@@ -7637,7 +7634,7 @@ static s32 gf_media_hevc_read_sps_bs_internal(GF_BitStream *bs, HEVCState *hevc,
 
        //nalu header already parsed
        vps_id = gf_bs_read_int(bs, 4);
-       if (vps_id >= 16) {
+       if ((vps_id<0) || (vps_id >= 16)) {
                return -1;
        }
        memset(&ptl, 0, sizeof(ptl));