[PATCH] Try to mitigate asan failures.

See #345 for my analysis and details…

(This PR is just for discussion.)

(The CVE references are obtained from the Debian security tracker,
which links the issues.)

This makes the following POCs stop failing:

- poc3 (#337)
- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2)
- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244   (note: does NOT fix poc8-1)
- poc11-1, poc11-2 (#345) CVE-2022-43249
- poc12 (#346)
- poc13 (#347) CVE-2022-43252
- poc16 (#350)

Gbp-Pq: Name reject_reference_pics_from_different_sps.patch

diff --git a/libde265/motion.cc b/libde265/motion.cc
index 95221581ae902d51fde1fb8fb8669e5ebdbb36ce..9a52c57e9e3f8458b4fcf0760f8514e426c3b257 100644 (file)
--- a/libde265/motion.cc
+++ b/libde265/motion.cc
@@ -349,7 +349,17 @@ void generate_inter_prediction_samples(base_context* ctx,
 
       logtrace(LogMotion, "refIdx: %d -> dpb[%d]\n", vi->refIdx[l], shdr->RefPicList[l][vi->refIdx[l]]);
 
-      if (refPic->PicState == UnusedForReference) {
+      if (refPic) {
+          auto nonconst_refPic = const_cast<de265_image*>(refPic); /* shared_ptr.get() chokes on const.*/
+          auto refsps = nonconst_refPic->get_shared_sps().get();
+          auto imgsps = img->get_shared_sps().get();
+          if(refsps != imgsps) {
+              // rejecting reference image created with different sps.
+              refPic = nullptr;
+          }
+      }
+
+      if (!refPic || refPic->PicState == UnusedForReference) {
         img->integrity = INTEGRITY_DECODING_ERRORS;
         ctx->add_warning(DE265_WARNING_NONEXISTING_REFERENCE_PICTURE_ACCESSED, false);