* Non-maintainer upload by the LTS Security Team.
* Source-only upload. (Last upload was accidentially a binary-upload)
[dgit import unpatched libde265 1.0.3-1+deb10u3]
--- /dev/null
--- /dev/null
++include:
++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
++
++variables:
++ RELEASE: 'buster'
++ SALSA_CI_COMPONENTS: 'main contrib non-free'
++ SALSA_CI_DISABLE_REPROTEST: 1
++ SALSA_CI_DISABLE_LINTIAN: 1
--- /dev/null
--- /dev/null
++libde265 (1.0.3-1+deb10u3) buster-security; urgency=medium
++
++ * Non-maintainer upload by the LTS Security Team.
++ * Source-only upload. (Last upload was accidentially a binary-upload)
++
++ -- Tobias Frost <tobi@debian.org> Tue, 24 Jan 2023 22:39:16 +0100
++
++libde265 (1.0.3-1+deb10u2) buster-security; urgency=medium
++
++ * Non-maintainer upload by the LTS Security Team.
++ * Add patches:
++ - reject_reference_pics_from_different_sps.patch
++ - use_sps_from_the_image.patch
++ - recycle_sps_if_possible.patch
++ * Cherry-pick additional patches from upstream:
++ check-4-negative-Q-value.patch
++ CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch
++ * Add patch "fix-invalid-memory-access.patch" to avoid out-of-bound
++ array access leading to crashes.
++ * Add patch CVE-2020-21596-global-buffer-overflow.patch
++ * Add patch to avoid use-after-free problems.
++ * Cumulative, the patches are fixing:
++ CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2022-43235,
++ CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239,
++ CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243,
++ CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249,
++ CVE-2022-43250, CVE-2022-43252, CVE-2022-43253, CVE-2022-47655.
++ (Closes: #1029357, #1029397, #1025816, #1027179)
++ * Amend changelog of 1.0.3-1+deb10u1, as it turned out that the
++ fix for CVE 2020-51999 and CVE 2021-36408 fixed other issues too.
++
++ -- Tobias Frost <tobi@debian.org> Tue, 24 Jan 2023 21:42:47 +0100
++
++libde265 (1.0.3-1+deb10u1) buster-security; urgency=medium
++
++ * Non-maintainer upload by the LTS Security Team.
++ * Cherry-pick upstream patches for:
++ - CVE-2020-21599 (Closes #1014999)
++ - CVE-2021-35452, CVE-2021-36408, CVE-2021-36409, CVE-2021-36410 and
++ CVE-2021-36411 (Closes: #1014977)
++ * The fix for CVE-2020-21599 also fixed:
++ CVE-2020-21595, CVE-2020-21600, CVE-2020-21601, CVE-2020-21602,
++ CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606
++ * The fix for CVE-2021-36408 also fixed:
++ CVE-2020-21597, CVE-2020-21598. (Closes: #1004963)
++
++ -- Tobias Frost <tobi@debian.org> Thu, 15 Dec 2022 17:40:12 +0100
++
++libde265 (1.0.3-1) unstable; urgency=medium
++
++ [ Ondřej Nový ]
++ * d/copyright: Use https protocol in Format field
++ * d/control: Set Vcs-* to salsa.debian.org
++
++ [ Felipe Sateler ]
++ * Change maintainer address to debian-multimedia@lists.debian.org
++
++ [ Joachim Bauch ]
++ * Imported Upstream version 1.0.3
++ * Update patches for new upstream version.
++ * Update symbols for new upstream version.
++ * Update standards version and switch to debhelper 10.
++
++ -- Joachim Bauch <bauch@struktur.de> Thu, 19 Apr 2018 11:44:40 +0200
++
++libde265 (1.0.2-2) unstable; urgency=low
++
++ [ Joachim Bauch ]
++ * Added patch by Andreas Cadhalpun to fix compilation with FFmpeg 2.9
++ (Closes: #803834)
++ * Updated symbols file for new C++11 symbols.
++
++ [ Sebastian Ramacher ]
++ * Migrate to automatic dbg packages.
++ * debian/control: Remove some unnecessary Build-Depends.
++
++ -- Joachim Bauch <bauch@struktur.de> Mon, 11 Jan 2016 19:12:19 +0100
++
++libde265 (1.0.2-1) unstable; urgency=low
++
++ * Imported Upstream version 1.0.2
++ * Added new files to copyright information.
++ * Only export decoder API and update symbols for new version.
++
++ -- Joachim Bauch <bauch@struktur.de> Thu, 16 Jul 2015 11:07:46 +0200
++
++libde265 (0.9-1) unstable; urgency=low
++
++ * Updated symbols to make all "std::vector" symbols optional.
++ * Imported Upstream version 0.9
++ * Removed deprecated patch to update symbols visibility. Changes were
++ applied upstream.
++ * Upstream supports compiling against Qt5, prefer that over Qt4.
++ * Added new symbols from new upstream release.
++
++ -- Joachim Bauch <bauch@struktur.de> Tue, 16 Sep 2014 18:47:14 +0200
++
++libde265 (0.8-1) unstable; urgency=low
++
++ * Initial release. (Closes: #744190)
++
++ -- Joachim Bauch <bauch@struktur.de> Fri, 08 Aug 2014 17:23:37 +0200
--- /dev/null
--- /dev/null
++10
--- /dev/null
--- /dev/null
++Source: libde265
++Section: libs
++Priority: optional
++Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
++Uploaders:
++ Alessio Treglia <alessio@debian.org>,
++ Joachim Bauch <bauch@struktur.de>
++Build-Depends:
++ debhelper (>= 10),
++ libjpeg-dev,
++ libpng-dev,
++ qtbase5-dev | libqt4-dev,
++ libsdl-dev,
++ libswscale-dev,
++ libx11-dev,
++ libxext-dev,
++ libxv-dev,
++ pkg-config
++Standards-Version: 4.1.3
++Homepage: https://github.com/strukturag/libde265
++Vcs-Git: https://salsa.debian.org/multimedia-team/libde265.git
++Vcs-Browser: https://salsa.debian.org/multimedia-team/libde265
++
++Package: libde265-0
++Architecture: any
++Multi-Arch: same
++Depends:
++ ${misc:Depends},
++ ${shlibs:Depends}
++Description: Open H.265 video codec implementation
++ libde265 is an open source implementation of the H.265 video codec.
++ It is written from scratch in plain C for simplicity and efficiency.
++ Its simple API makes it easy to integrate it into other software.
++
++Package: libde265-dev
++Section: libdevel
++Multi-Arch: same
++Architecture: any
++Depends:
++ libde265-0 (= ${binary:Version}),
++ ${misc:Depends}
++Description: Open H.265 video codec implementation - development files
++ libde265 is an open source implementation of the H.265 video codec.
++ It is written from scratch in plain C for simplicity and efficiency.
++ Its simple API makes it easy to integrate it into other software.
++ .
++ The development headers for compiling programs that use libde265
++ are provided by this package.
++
++Package: libde265-examples
++Section: video
++Architecture: any
++Depends:
++ libde265-0 (= ${binary:Version}),
++ ${misc:Depends},
++ ${shlibs:Depends}
++Description: Open H.265 video codec implementation - examples
++ libde265 is an open source implementation of the H.265 video codec.
++ It is written from scratch in plain C for simplicity and efficiency.
++ Its simple API makes it easy to integrate it into other software.
++ .
++ Sample applications using libde265 are provided by this package.
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Upstream-Name: libde265
++Upstream-Contact: struktur AG <opensource@struktur.de>
++Source: https://github.com/strukturag/libde265
++
++Files: *
++Copyright:
++ 2013-2014 struktur AG, Dirk Farin <farin@struktur.de>
++ 2013 openHEVC contributors
++License: LGPL-3+
++
++Files: dec265/dec265.cc
++ dec265/hdrcopy.cc
++ dec265/sdl.cc
++ dec265/sdl.hh
++ enc265/enc265.cc
++ sherlock265/VideoDecoder.cc
++ sherlock265/VideoDecoder.hh
++ sherlock265/VideoPlayer.cc
++ sherlock265/VideoPlayer.hh
++ sherlock265/VideoWidget.cc
++ sherlock265/VideoWidget.hh
++ sherlock265/sherlock265.cc
++ tools/bjoentegaard.cc
++ tools/block-rate-estim.cc
++ tools/gen-entropy-table.cc
++ tools/rd-curves.cc
++ tools/tests.cc
++ tools/yuv-distortion.cc
++Copyright:
++ 2013-2014 struktur AG, Dirk Farin <farin@struktur.de>
++ 2013-2014 struktur AG, Joachim Bauch <bauch@struktur.de>
++ 1998-2013 Free Software Foundation, Inc
++License: GPL-3+
++Comment: Please note that only the sample applications are GPL-3+ while
++ the decoding library itself is licensed as LGPL-3+.
++
++Files: extra/getopt.c
++ extra/getopt.h
++ extra/getopt_long.c
++Copyright: 1987-1996 The Regents of the University of California
++License: BSD-4-clause
++
++Files: libde265/md5.cc
++ libde265/md5.h
++Copyright: No copyright holder
++License: public-domain-1
++ This software was written by Alexander Peslyak in 2001. No copyright is
++ claimed, and the software is hereby placed in the public domain.
++ In case this attempt to disclaim copyright and place the software in the
++ public domain is deemed null and void, then the software is
++ Copyright (c) 2001 Alexander Peslyak and it is hereby released to the
++ general public under the following terms:
++ .
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted.
++ .
++ There's ABSOLUTELY NO WARRANTY, express or implied.
++ .
++ (This is a heavily cut-down "BSD license".)
++ .
++ This differs from Colin Plumb's older public domain implementation in that
++ no exactly 32-bit integer data type is required (any 32-bit or wider
++ unsigned integer data type will do), there's no compile-time endianness
++ configuration, and the function prototypes match OpenSSL's. No code from
++ Colin Plumb's implementation has been reused; this comment merely compares
++ the properties of the two independent implementations.
++ .
++ The primary goals of this implementation are portability and ease of use.
++ It is meant to be fast, but not as fast as possible. Some known
++ optimizations are not included to reduce source code size and avoid
++ compile-time configuration.
++
++Files: extra/stdint.h
++Copyright: No copyright holder
++License: public-domain-2
++ ISO C9x 7.18 Integer types <stdint.h>
++ Based on ISO/IEC SC22/WG14 9899 Committee draft (SC22 N2794)
++ .
++ THIS SOFTWARE IS NOT COPYRIGHTED
++ .
++ Contributor: Danny Smith <danny_r_smith_2001@yahoo.co.nz>
++ .
++ This source code is offered for use in the public domain. You may
++ use, modify or distribute it freely.
++ .
++ This code is distributed in the hope that it will be useful but
++ WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY
++ DISCLAIMED. This includes but is not limited to warranties of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
++ .
++ Date: 2000-12-02
++
++Files: extra/win32cond.c
++ extra/win32cond.h
++Copyright:
++ 1993-2009 Douglas C. Schmidt and his research group at
++ Washington University, University of California, Irvine, and
++ Vanderbilt University
++License: other-1
++ ACE(TM), TAO(TM), CIAO(TM), DAnCE>(TM), and CoSMIC(TM) (henceforth
++ referred to as "DOC software") are copyrighted by Douglas C. Schmidt
++ and his research group at Washington University, University of California,
++ Irvine, and Vanderbilt University, Copyright (c) 1993-2009, all rights
++ reserved.
++ .
++ Since DOC software is open-source, freely available software, you are free
++ to use, modify, copy, and distribute--perpetually and irrevocably--the DOC
++ software source code and object code produced from the source, as well as
++ copy and distribute modified versions of this software. You must, however,
++ include this copyright statement along with any code built using DOC
++ software that you release.
++ .
++ No copyright statement needs to be provided if you just ship binary
++ executables of your software products.
++ .
++ See "Strategies for Implementing POSIX Condition Variables on Win32" at
++ http://www.cs.wustl.edu/~schmidt/win32-cv-1.html
++
++Files: debian/*
++Copyright:
++ 2014 Joachim Bauch <jojo@struktur.de>
++ 2014 Alessio Treglia <alessio@debian.org>
++License: LGPL-3+
++
++License: GPL-3+
++ This program is free software: you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation, either version 3 of the License, or
++ (at your option) any later version.
++ .
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++ .
++ On Debian systems the complete text of the GNU General Public License
++ can be found in the `/usr/share/common-licenses/GPL-3' file.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++License: LGPL-3+
++ This program is free software: you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation, either version 3 of the License, or
++ (at your option) any later version.
++ .
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++ .
++ On Debian systems the complete text of the GNU Lesser General Public
++ License can be found in the `/usr/share/common-licenses/LGPL-3' file.
++ .
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++
++License: BSD-4-clause
++ Copyright (c) 1987, 1993, 1994
++ The Regents of the University of California. All rights reserved.
++ .
++ Redistribution and use in source and binary forms, with or without
++ modification, are permitted provided that the following conditions
++ are met:
++ 1. Redistributions of source code must retain the above copyright
++ notice, this list of conditions and the following disclaimer.
++ 2. Redistributions in binary form must reproduce the above copyright
++ notice, this list of conditions and the following disclaimer in the
++ documentation and/or other materials provided with the distribution.
++ 3. All advertising materials mentioning features or use of this software
++ must display the following acknowledgement:
++ This product includes software developed by the University of
++ California, Berkeley and its contributors.
++ 4. Neither the name of the University nor the names of its contributors
++ may be used to endorse or promote products derived from this software
++ without specific prior written permission.
++ .
++ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
++ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
++ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ SUCH DAMAGE.
--- /dev/null
--- /dev/null
++usr/lib/*/*.so.*
--- /dev/null
--- /dev/null
++libde265.so.0 libde265-0 #MINVER#
++ (optional|c++|regex)"^std::_Sp_counted_base<.*@Base$" 1.0.2
++ (optional|c++|regex)"^std::_Sp_counted_ptr<.*@Base$" 1.0.3
++ (optional|c++|regex)"^std::__cxx11::basic_string<.*@Base$" 1.0.2
++ (optional|c++|regex)"^std::__cxx11::basic_stringbuf<.*@Base$" 1.0.2
++ (optional|c++|regex)"^std::vector<.*@Base$" 1.0.2
++ (optional|c++|regex)"^typeinfo for std::.*@Base$" 1.0.2
++ (optional|c++|regex)"^typeinfo name for std::.*@Base$" 1.0.2
++ (optional|c++|regex)"^void std::vector<.*@Base$" 1.0.2
++ (optional=only used internally by dec265|c++)"MSE(unsigned char const*, int, unsigned char const*, int, int, int)@Base" 1.0.2
++ (optional=only used internally by dec265|c++)"PSNR(double)@Base" 1.0.2
++ (optional=only used by the non-final encoder api)de265_alloc_image_plane@Base 1.0.2
++ de265_change_framerate@Base 0.8
++ de265_decode@Base 0.8
++ de265_decode_data@Base 0.8
++ de265_disable_logging@Base 0.8
++ de265_flush_data@Base 0.8
++ de265_free@Base 0.8
++ de265_free_decoder@Base 0.8
++ (optional=only used by the non-final encoder api)de265_free_image_plane@Base 1.0.2
++ de265_get_bits_per_pixel@Base 1.0.2
++ de265_get_chroma_format@Base 0.8
++ de265_get_current_TID@Base 0.8
++ de265_get_default_image_allocation_functions@Base 0.8
++ de265_get_error_text@Base 0.8
++ de265_get_highest_TID@Base 0.8
++ de265_get_image_NAL_header@Base 0.8
++ de265_get_image_PTS@Base 0.8
++ de265_get_image_height@Base 0.8
++ de265_get_image_plane@Base 0.8
++ de265_get_image_plane_user_data@Base 0.8
++ de265_get_image_user_data@Base 0.8
++ de265_get_image_width@Base 0.8
++ de265_get_next_picture@Base 0.8
++ de265_get_number_of_NAL_units_pending@Base 0.8
++ de265_get_number_of_input_bytes_pending@Base 0.8
++ de265_get_parameter_bool@Base 0.8
++ de265_get_version@Base 0.8
++ de265_get_version_number@Base 0.8
++ de265_get_version_number_maintenance@Base 1.0.2
++ de265_get_version_number_major@Base 1.0.2
++ de265_get_version_number_minor@Base 1.0.2
++ de265_get_warning@Base 0.8
++ de265_init@Base 0.8
++ de265_isOK@Base 0.8
++ de265_new_decoder@Base 0.8
++ de265_peek_next_picture@Base 0.8
++ de265_push_NAL@Base 0.8
++ de265_push_data@Base 0.8
++ de265_push_end_of_NAL@Base 0.8
++ de265_push_end_of_frame@Base 0.9
++ de265_release_next_picture@Base 0.8
++ de265_reset@Base 0.8
++ de265_set_framerate_ratio@Base 0.8
++ de265_set_image_allocation_functions@Base 0.8
++ de265_set_image_plane@Base 0.8
++ de265_set_image_user_data@Base 0.9
++ de265_set_limit_TID@Base 0.8
++ de265_set_parameter_bool@Base 0.8
++ de265_set_parameter_int@Base 0.8
++ de265_set_verbosity@Base 0.8
++ de265_start_worker_threads@Base 0.8
++ (optional=only used internally by sherlock265)draw_CB_grid@Base 0.8
++ (optional=only used internally by sherlock265)draw_Motion@Base 0.8
++ (optional=only used internally by sherlock265)draw_PB_grid@Base 0.8
++ (optional=only used internally by sherlock265)draw_PB_pred_modes@Base 0.8
++ (optional=only used internally by sherlock265)draw_QuantPY@Base 0.8
++ (optional=only used internally by sherlock265)draw_Slices@Base 0.8
++ (optional=only used internally by sherlock265)draw_TB_grid@Base 0.8
++ (optional=only used internally by sherlock265)draw_Tiles@Base 0.8
++ (optional=only used internally by sherlock265)draw_intra_pred_modes@Base 0.8
++ (optional=only used by the non-final encoder api|regex)en265_.*@Base 1.0.2
--- /dev/null
--- /dev/null
++README.md
--- /dev/null
--- /dev/null
++usr/include/*
++usr/lib/*/*.so
++usr/lib/*/pkgconfig/*
--- /dev/null
--- /dev/null
++usr/bin/*
--- /dev/null
--- /dev/null
++Description: Fix CVE-2020-21596 global buffer overflow in decode_CABAC_bit when decoding file
++Origin: https://github.com/strukturag/libde265/commit/6751f4e3c8c7af63d0036fedd506b7932630773c
++From 6751f4e3c8c7af63d0036fedd506b7932630773c Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 24 Jan 2023 19:01:42 +0100
++Subject: [PATCH] initialize newly created CABAC model table when (fixes #236)
++
++---
++ libde265/contextmodel.cc | 2 ++
++ 1 file changed, 2 insertions(+)
++
++diff --git a/libde265/contextmodel.cc b/libde265/contextmodel.cc
++index ec432281d..7244471f9 100644
++--- a/libde265/contextmodel.cc
+++++ b/libde265/contextmodel.cc
++@@ -181,6 +181,8 @@ void context_model_table::decouple_or_alloc_with_empty_data()
++ if (D) printf("%p (alloc)\n",this);
++
++ model = new context_model[CONTEXT_MODEL_TABLE_LENGTH];
+++ // Without initializing the model, we got an invalid model state during decoding (issue #236)
+++ memset(model, 0, sizeof(context_model) * CONTEXT_MODEL_TABLE_LENGTH);
++ refcnt= new int;
++ *refcnt=1;
++ }
--- /dev/null
--- /dev/null
++Description: Patch for CVE-2020-21599
++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014999 (one of the many CVEs of this bug)
++From a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 23 Feb 2021 15:11:09 +0100
++Subject: [PATCH] return error when PCM bits parameter exceeds pixel depth
++ (#225)
++
++---
++ libde265/de265.cc | 2 ++
++ libde265/de265.h | 3 ++-
++ libde265/sps.cc | 10 ++++++++++
++ 3 files changed, 14 insertions(+), 1 deletion(-)
++
++--- a/libde265/de265.cc
+++++ b/libde265/de265.cc
++@@ -156,6 +156,8 @@
++ return "SPS header missing, cannot decode SEI";
++ case DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA:
++ return "collocated motion-vector is outside image area";
+++ case DE265_WARNING_PCM_BITDEPTH_TOO_LARGE:
+++ return "PCM bit-depth too large";
++
++ default: return "unknown error";
++ }
++--- a/libde265/de265.h
+++++ b/libde265/de265.h
++@@ -135,7 +135,8 @@
++ DE265_NON_EXISTING_LT_REFERENCE_CANDIDATE_IN_SLICE_HEADER=1023,
++ DE265_WARNING_CANNOT_APPLY_SAO_OUT_OF_MEMORY=1024,
++ DE265_WARNING_SPS_MISSING_CANNOT_DECODE_SEI=1025,
++- DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026
+++ DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026,
+++ DE265_WARNING_PCM_BITDEPTH_TOO_LARGE=1027
++ } de265_error;
++
++ LIBDE265_API const char* de265_get_error_text(de265_error err);
++--- a/libde265/sps.cc
+++++ b/libde265/sps.cc
++@@ -360,6 +360,16 @@
++ READ_VLC_OFFSET(log2_min_pcm_luma_coding_block_size, uvlc, 3);
++ READ_VLC(log2_diff_max_min_pcm_luma_coding_block_size, uvlc);
++ pcm_loop_filter_disable_flag = get_bits(br,1);
+++
+++ if (pcm_sample_bit_depth_luma > bit_depth_luma) {
+++ errqueue->add_warning(DE265_WARNING_PCM_BITDEPTH_TOO_LARGE, false);
+++ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
+++ }
+++
+++ if (pcm_sample_bit_depth_chroma > bit_depth_chroma) {
+++ errqueue->add_warning(DE265_WARNING_PCM_BITDEPTH_TOO_LARGE, false);
+++ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
+++ }
++ }
++ else {
++ pcm_sample_bit_depth_luma = 0;
--- /dev/null
--- /dev/null
++Description: Fix for CVE 2021-35452
++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977
++From e83f3798dd904aa579425c53020c67e03735138d Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 5 Apr 2022 19:35:46 +0200
++Subject: [PATCH] fix check for valid PPS idx (#298)
++
++---
++ libde265/slice.cc | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++diff --git a/libde265/slice.cc b/libde265/slice.cc
++index cca4d332..aacde0ce 100644
++--- a/libde265/slice.cc
+++++ b/libde265/slice.cc
++@@ -373,7 +373,7 @@ de265_error slice_segment_header::read(bitreader* br, decoder_context* ctx,
++ }
++
++ slice_pic_parameter_set_id = get_uvlc(br);
++- if (slice_pic_parameter_set_id > DE265_MAX_PPS_SETS ||
+++ if (slice_pic_parameter_set_id >= DE265_MAX_PPS_SETS ||
++ slice_pic_parameter_set_id == UVLC_ERROR) {
++ ctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
++ return DE265_OK;
--- /dev/null
--- /dev/null
++Description: Fix for CVE-2021-36408
++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977
++From f538254e4658ef5ea4e233c2185dcbfd165e8911 Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 5 Apr 2022 18:41:28 +0200
++Subject: [PATCH] fix streams where SPS image size changes without refreshing
++ PPS (#299)
++
++---
++ libde265/decctx.cc | 9 +++++++++
++ 1 file changed, 9 insertions(+)
++
++diff --git a/libde265/decctx.cc b/libde265/decctx.cc
++index edebb7136..6701725fb 100644
++--- a/libde265/decctx.cc
+++++ b/libde265/decctx.cc
++@@ -562,6 +562,15 @@ de265_error decoder_context::read_sps_NAL(bitreader& reader)
++
++ sps[ new_sps->seq_parameter_set_id ] = new_sps;
++
+++ // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to
+++ // get the SPS and PPS parameters (e.g. image size) out of sync.
+++
+++ for (auto& p : pps) {
+++ if (p && p->seq_parameter_set_id == new_sps->seq_parameter_set_id) {
+++ p = nullptr;
+++ }
+++ }
+++
++ return DE265_OK;
++ }
++
--- /dev/null
--- /dev/null
++Description: Fix for CVE-2021-36409
++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977
++From 64d591a6c70737604ca3f5791736fc462cbe8a3c Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 5 Apr 2022 17:53:43 +0200
++Subject: [PATCH] fix assertion when reading invalid scaling_list (#300)
++
++---
++ libde265/sps.cc | 15 +++++++++------
++ 1 file changed, 9 insertions(+), 6 deletions(-)
++
++--- a/libde265/sps.cc
+++++ b/libde265/sps.cc
++@@ -881,19 +881,23 @@
++ int n = ((sizeId==3) ? 2 : 6);
++ uint8_t scaling_list[6][32*32];
++
+++ // Note: we use a different matrixId for the second matrix of size 3 (we use '3' instead of '1').
++ for (int matrixId=0;matrixId<n;matrixId++) {
++ uint8_t* curr_scaling_list = scaling_list[matrixId];
++ int scaling_list_dc_coef;
++
++- int canonicalMatrixId = matrixId;
++- if (sizeId==3 && matrixId==1) { canonicalMatrixId=3; }
++-
++
++ //printf("----- matrix %d\n",matrixId);
++
++ char scaling_list_pred_mode_flag = get_bits(br,1);
++ if (!scaling_list_pred_mode_flag) {
++ int scaling_list_pred_matrix_id_delta = get_uvlc(br);
+++
+++ if (sizeId==3) {
+++ // adapt to our changed matrixId for size 3
+++ scaling_list_pred_matrix_id_delta *= 3;
+++ }
+++
++ if (scaling_list_pred_matrix_id_delta == UVLC_ERROR ||
++ scaling_list_pred_matrix_id_delta > matrixId) {
++ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
++@@ -909,15 +913,14 @@
++ memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
++ }
++ else {
++- if (canonicalMatrixId<3)
+++ if (matrixId<3)
++ { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
++ else
++ { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
++ }
++ }
++ else {
++- // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
++- if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
+++ if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==3); }
++
++ int mID = matrixId - scaling_list_pred_matrix_id_delta;
++
--- /dev/null
--- /dev/null
++Description: CVE-2021-36410
++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977
++From 697aa4f7c774abd6374596e6707a6f4f54265355 Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 5 Apr 2022 19:27:04 +0200
++Subject: [PATCH] fix MC with HDR chroma, but SDR luma (#301)
++
++---
++ libde265/motion.cc | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++--- a/libde265/motion.cc
+++++ b/libde265/motion.cc
++@@ -377,7 +377,7 @@
++ refPic->get_luma_stride(), nPbW,nPbH, bit_depth_L);
++ }
++
++- if (img->high_bit_depth(0)) {
+++ if (img->high_bit_depth(1)) {
++ mc_chroma(ctx, sps, vi->mv[l].x, vi->mv[l].y, xP,yP,
++ predSamplesC[0][l],nCS, (const uint16_t*)refPic->get_image_plane(1),
++ refPic->get_chroma_stride(), nPbW/SubWidthC,nPbH/SubHeightC, bit_depth_C);
--- /dev/null
--- /dev/null
++Description: CVE-2021-36411
++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977
++From 45904e5667c5bf59c67fcdc586dfba110832894c Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 5 Apr 2022 20:00:20 +0200
++Subject: [PATCH] fix reading invalid images where shdr references are NULL in
++ part of the image (#302)
++
++---
++ libde265/deblock.cc | 127 +++++++++++++++++++++++---------------------
++ libde265/sao.cc | 5 +-
++ 2 files changed, 70 insertions(+), 62 deletions(-)
++
++--- a/libde265/deblock.cc
+++++ b/libde265/deblock.cc
++@@ -295,67 +295,72 @@
++ slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp);
++ slice_segment_header* shdrQ = img->get_SliceHeader(xDi ,yDi);
++
++- int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
++- int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
++- int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
++- int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
++-
++- bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
++- (refPicP0==refPicQ1 && refPicP1==refPicQ0));
++-
++- if (!samePics) {
++- bS = 1;
++- }
++- else {
++- MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; }
++- MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; }
++- MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; }
++- MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; }
++-
++- int numMV_P = mviP.predFlag[0] + mviP.predFlag[1];
++- int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1];
++-
++- if (numMV_P!=numMV_Q) {
++- img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false);
++- img->integrity = INTEGRITY_DECODING_ERRORS;
++- }
++-
++- // two different reference pictures or only one reference picture
++- if (refPicP0 != refPicP1) {
++-
++- if (refPicP0 == refPicQ0) {
++- if (abs_value(mvP0.x-mvQ0.x) >= 4 ||
++- abs_value(mvP0.y-mvQ0.y) >= 4 ||
++- abs_value(mvP1.x-mvQ1.x) >= 4 ||
++- abs_value(mvP1.y-mvQ1.y) >= 4) {
++- bS = 1;
++- }
++- }
++- else {
++- if (abs_value(mvP0.x-mvQ1.x) >= 4 ||
++- abs_value(mvP0.y-mvQ1.y) >= 4 ||
++- abs_value(mvP1.x-mvQ0.x) >= 4 ||
++- abs_value(mvP1.y-mvQ0.y) >= 4) {
++- bS = 1;
++- }
++- }
++- }
++- else {
++- assert(refPicQ0==refPicQ1);
++-
++- if ((abs_value(mvP0.x-mvQ0.x) >= 4 ||
++- abs_value(mvP0.y-mvQ0.y) >= 4 ||
++- abs_value(mvP1.x-mvQ1.x) >= 4 ||
++- abs_value(mvP1.y-mvQ1.y) >= 4)
++- &&
++- (abs_value(mvP0.x-mvQ1.x) >= 4 ||
++- abs_value(mvP0.y-mvQ1.y) >= 4 ||
++- abs_value(mvP1.x-mvQ0.x) >= 4 ||
++- abs_value(mvP1.y-mvQ0.y) >= 4)) {
++- bS = 1;
++- }
++- }
++- }
+++ if (shdrP && shdrQ) {
+++ int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
+++ int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
+++ int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
+++ int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
+++
+++ bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
+++ (refPicP0==refPicQ1 && refPicP1==refPicQ0));
+++
+++ if (!samePics) {
+++ bS = 1;
+++ }
+++ else {
+++ MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; }
+++ MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; }
+++ MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; }
+++ MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; }
+++
+++ int numMV_P = mviP.predFlag[0] + mviP.predFlag[1];
+++ int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1];
+++
+++ if (numMV_P!=numMV_Q) {
+++ img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false);
+++ img->integrity = INTEGRITY_DECODING_ERRORS;
+++ }
+++
+++ // two different reference pictures or only one reference picture
+++ if (refPicP0 != refPicP1) {
+++
+++ if (refPicP0 == refPicQ0) {
+++ if (abs_value(mvP0.x-mvQ0.x) >= 4 ||
+++ abs_value(mvP0.y-mvQ0.y) >= 4 ||
+++ abs_value(mvP1.x-mvQ1.x) >= 4 ||
+++ abs_value(mvP1.y-mvQ1.y) >= 4) {
+++ bS = 1;
+++ }
+++ }
+++ else {
+++ if (abs_value(mvP0.x-mvQ1.x) >= 4 ||
+++ abs_value(mvP0.y-mvQ1.y) >= 4 ||
+++ abs_value(mvP1.x-mvQ0.x) >= 4 ||
+++ abs_value(mvP1.y-mvQ0.y) >= 4) {
+++ bS = 1;
+++ }
+++ }
+++ }
+++ else {
+++ assert(refPicQ0==refPicQ1);
+++
+++ if ((abs_value(mvP0.x-mvQ0.x) >= 4 ||
+++ abs_value(mvP0.y-mvQ0.y) >= 4 ||
+++ abs_value(mvP1.x-mvQ1.x) >= 4 ||
+++ abs_value(mvP1.y-mvQ1.y) >= 4)
+++ &&
+++ (abs_value(mvP0.x-mvQ1.x) >= 4 ||
+++ abs_value(mvP0.y-mvQ1.y) >= 4 ||
+++ abs_value(mvP1.x-mvQ0.x) >= 4 ||
+++ abs_value(mvP1.y-mvQ0.y) >= 4)) {
+++ bS = 1;
+++ }
+++ }
+++ }
+++ }
+++ else {
+++ bS = 0; // if shdrP==NULL or shdrQ==NULL
+++ }
++
++ /*
++ printf("unimplemented deblocking code for CU at %d;%d\n",xDi,yDi);
++--- a/libde265/sao.cc
+++++ b/libde265/sao.cc
++@@ -347,7 +347,10 @@
++ for (int xCtb=0; xCtb<sps.PicWidthInCtbsY; xCtb++)
++ {
++ const slice_segment_header* shdr = img->get_SliceHeaderCtb(xCtb,yCtb);
++- if (shdr==NULL) { return; }
+++ if (shdr==NULL) {
+++ delete[] inputCopy;
+++ return;
+++ }
++
++ if (cIdx==0 && shdr->slice_sao_luma_flag) {
++ apply_sao(img, xCtb,yCtb, shdr, 0, 1<<sps.Log2CtbSizeY, 1<<sps.Log2CtbSizeY,
--- /dev/null
--- /dev/null
++Description: SAO: fix illegal table access when input pixel is out of range
++Origin: https://github.com/strukturag/libde265/commit/ad291690a8c92218b9e86738edd45ed64736b246
++From ad291690a8c92218b9e86738edd45ed64736b246 Mon Sep 17 00:00:00 2001
++From: Dirk Farin <dirk.farin@gmail.com>
++Date: Tue, 24 Jan 2023 16:53:06 +0100
++Subject: [PATCH] SAO: fix illegal table access when input pixel is out of
++ range (fixes #351)
++
++---
++ libde265/sao.cc | 9 ++++++++-
++ 1 file changed, 8 insertions(+), 1 deletion(-)
++
++--- a/libde265/sao.cc
+++++ b/libde265/sao.cc
++@@ -211,11 +211,21 @@
++ continue;
++ }
++
++- int bandIdx = bandTable[ in_img[xC+i+(yC+j)*in_stride]>>bandShift ];
++-
++ // Shifts are a strange thing. On x86, >>x actually computes >>(x%64).
++ // So we have to take care of large bandShifts.
++- if (bandShift>=8) { bandIdx=0; }
+++ int bandIdx;
+++ if (bandShift >= 8) {
+++ bandIdx = 0;
+++ } else {
+++ int pixel = in_img[xC+i+(yC+j)*in_stride];
+++
+++ // Note: the input pixel value should never exceed the valid range, but it seems that it still does,
+++ // maybe when there was a decoding error and the pixels have not been filled in correctly.
+++ // Thus, we have to limit the pixel range to ensure that we have no illegal table access.
+++ pixel = Clip3(0,maxPixelValue, pixel);
+++
+++ bandIdx = bandTable[ pixel>>bandShift ];
+++ }
++
++ if (bandIdx>0) {
++ int offset = saoinfo->saoOffsetVal[cIdx][bandIdx-1];
++@@ -237,10 +247,13 @@
++ for (int j=0;j<ctbH;j++)
++ for (int i=0;i<ctbW;i++) {
++
++- int bandIdx = bandTable[ in_img[xC+i+(yC+j)*in_stride]>>bandShift ];
++-
++ // see above
++- if (bandShift>=8) { bandIdx=0; }
+++ int bandIdx;
+++ if (bandShift >= 8) {
+++ bandIdx = 0;
+++ } else {
+++ bandIdx = bandTable[ in_img[xC+i+(yC+j)*in_stride]>>bandShift ];
+++ }
++
++ if (bandIdx>0) {
++ int offset = saoinfo->saoOffsetVal[cIdx][bandIdx-1];
--- /dev/null
--- /dev/null
++Description: check for negative Q-values in invalid input streams
++ This fixes some global buffer overflows in scale_coefficients_internal()
++Origin: https://github.com/strukturag/libde265/commit/282da73366f251edddc40f3908acb313ab5cd420
++From 282da73366f251edddc40f3908acb313ab5cd420 Mon Sep 17 00:00:00 2001
++From: Dirk Farin <farin@struktur.de>
++Date: Mon, 16 Jul 2018 10:57:50 +0200
++Subject: [PATCH] check for negative Q-values in invalid input streams
++
++---
++ libde265/transform.cc | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++diff --git a/libde265/transform.cc b/libde265/transform.cc
++index a844de20a..ef404f8e5 100644
++--- a/libde265/transform.cc
+++++ b/libde265/transform.cc
++@@ -147,6 +147,9 @@ void decode_quantization_parameters(thread_context* tctx, int xC,int yC,
++ (52 + sps.QpBdOffset_Y)) - sps.QpBdOffset_Y;
++
++ tctx->qPYPrime = QPY + sps.QpBdOffset_Y;
+++ if (tctx->qPYPrime<0) {
+++ tctx->qPYPrime=0;
+++ }
++
++ int qPiCb = Clip3(-sps.QpBdOffset_C,57, QPY+pps.pic_cb_qp_offset + shdr->slice_cb_qp_offset + tctx->CuQpOffsetCb);
++ int qPiCr = Clip3(-sps.QpBdOffset_C,57, QPY+pps.pic_cr_qp_offset + shdr->slice_cr_qp_offset + tctx->CuQpOffsetCr);
++@@ -169,7 +172,14 @@ void decode_quantization_parameters(thread_context* tctx, int xC,int yC,
++ //printf("q: %d %d\n",qPiCb, qPCb);
++
++ tctx->qPCbPrime = qPCb + sps.QpBdOffset_C;
+++ if (tctx->qPCbPrime<0) {
+++ tctx->qPCbPrime = 0;
+++ }
+++
++ tctx->qPCrPrime = qPCr + sps.QpBdOffset_C;
+++ if (tctx->qPCrPrime<0) {
+++ tctx->qPCrPrime = 0;
+++ }
++
++ /*
++ printf("Q: %d (%d %d %d / %d %d) %d %d %d\n",QPY,
--- /dev/null
--- /dev/null
++Description: Disable building of some internal tools that no longer link
++ because internal symbols are not exported.
++Author: Joachim Bauch <bauch@struktur.de>
++--- a/Makefile.am
+++++ b/Makefile.am
++@@ -8,10 +8,6 @@
++ SUBDIRS+=dec265
++ endif
++
++-SUBDIRS+=enc265
++-SUBDIRS+=tools
++-SUBDIRS+=acceleration-speed
++-
++ if ENABLE_SHERLOCK265
++ SUBDIRS+=sherlock265
++ endif
++--- a/dec265/Makefile.am
+++++ b/dec265/Makefile.am
++@@ -1,5 +1,5 @@
++
++-bin_PROGRAMS = dec265 hdrcopy
+++bin_PROGRAMS = dec265
++
++ AM_CPPFLAGS = -I../libde265
++
++@@ -9,12 +9,6 @@
++ dec265_LDADD = ../libde265/libde265.la -lstdc++
++ dec265_SOURCES = dec265.cc
++
++-hdrcopy_DEPENDENCIES = ../libde265/libde265.la
++-hdrcopy_CXXFLAGS =
++-hdrcopy_LDFLAGS =
++-hdrcopy_LDADD = ../libde265/libde265.la -lstdc++
++-hdrcopy_SOURCES = hdrcopy.cc
++-
++ if HAVE_VIDEOGFX
++ dec265_CXXFLAGS += $(VIDEOGFX_CFLAGS)
++ dec265_LDFLAGS += $(VIDEOGFX_LIBS)
--- /dev/null
--- /dev/null
++Description: Replace deprecated FFmpeg API
++Author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
++Last-Update: <2015-11-02>
++
++--- a/sherlock265/VideoDecoder.cc
+++++ b/sherlock265/VideoDecoder.cc
++@@ -237,7 +237,7 @@
++ }
++ width = img->get_width();
++ height = img->get_height();
++- sws = sws_getContext(width, height, PIX_FMT_YUV420P, width, height, PIX_FMT_BGRA, SWS_FAST_BILINEAR, NULL, NULL, NULL);
+++ sws = sws_getContext(width, height, AV_PIX_FMT_YUV420P, width, height, AV_PIX_FMT_BGRA, SWS_FAST_BILINEAR, NULL, NULL, NULL);
++ }
++
++ int stride[3];
--- /dev/null
--- /dev/null
++Description: fix invalid memory access after unavailable reference frame insertion
++ Needed to avoid asan errors for the version at hand, otherwise the crash even
++ happens before the pocs triggers.
++Origin: https://github.com/strukturag/libde265/commit/ee8e09a7f6f65b7c409c7801ad64918a2925ed9b
++Reviewed-by: Tobias Frost <tobi@debian.org>
++Last-Update: 2023-01-24 <YYYY-MM-DD, last update of the meta-information, optional>
++---
++This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
++--- a/libde265/decctx.cc
+++++ b/libde265/decctx.cc
++@@ -1648,9 +1648,8 @@
++ PocStCurrBefore[i], false);
++ RefPicSetStCurrBefore[i] = k = concealedPicture;
++
++- if (concealedPicture < picInAnyList.size()) {
++- picInAnyList[concealedPicture] = true;
++- }
+++ picInAnyList.resize(dpb.size(), false); // adjust size of array to hold new picture
+++ picInAnyList[concealedPicture] = true;
++
++ //printf(" concealed: %d\n", concealedPicture);
++ }
++@@ -1671,6 +1670,9 @@
++ int concealedPicture = generate_unavailable_reference_picture(current_sps.get(),
++ PocStCurrAfter[i], false);
++ RefPicSetStCurrAfter[i] = k = concealedPicture;
+++
+++
+++ picInAnyList.resize(dpb.size(), false); // adjust size of array to hold new picture
++ picInAnyList[concealedPicture]=true;
++
++ //printf(" concealed: %d\n", concealedPicture);
--- /dev/null
--- /dev/null
++Descriptions: Fix several use after free problems
++ by cherry picking upstream commit.
++Origin: https://github.com/strukturag/libde265/commit/e6a0fea0070014d21b6ca229de195b093ff8e3ad
++From e6a0fea0070014d21b6ca229de195b093ff8e3ad Mon Sep 17 00:00:00 2001
++From: Dirk Farin <farin@struktur.de>
++Date: Fri, 4 May 2018 16:30:37 +0200
++Subject: [PATCH] reference PPS from slice by shared_ptr to prevent usage after
++ deallocation
++
++---
++ libde265/decctx.h | 1 +
++ libde265/encoder/encoder-context.cc | 2 +-
++ libde265/motion.cc | 2 +-
++ libde265/slice.cc | 4 ++--
++ libde265/slice.h | 3 ++-
++ 5 files changed, 7 insertions(+), 5 deletions(-)
++
++--- a/libde265/decctx.h
+++++ b/libde265/decctx.h
++@@ -306,6 +306,8 @@
++ /* */ pic_parameter_set* get_pps(int id) { return pps[id].get(); }
++ const pic_parameter_set* get_pps(int id) const { return pps[id].get(); }
++
+++ std::shared_ptr<const pic_parameter_set> get_shared_pps(int id) { return pps[id]; }
+++
++ /*
++ const slice_segment_header* get_SliceHeader_atCtb(int ctb) {
++ return img->slices[img->get_SliceHeaderIndex_atIndex(ctb)];
++--- a/libde265/encoder/encoder-context.cc
+++++ b/libde265/encoder/encoder-context.cc
++@@ -267,7 +267,7 @@
++ imgdata->shdr.slice_loop_filter_across_slices_enabled_flag = false;
++ imgdata->shdr.compute_derived_values(pps.get());
++
++- imgdata->shdr.pps = &get_pps();
+++ imgdata->shdr.pps = pps;
++
++ //shdr.slice_pic_order_cnt_lsb = poc & 0xFF;
++
++--- a/libde265/motion.cc
+++++ b/libde265/motion.cc
++@@ -290,7 +290,7 @@
++ void* pixels[3];
++ int stride[3];
++
++- const pic_parameter_set* pps = shdr->pps;
+++ const pic_parameter_set* pps = shdr->pps.get();
++ const seq_parameter_set* sps = &img->get_sps();
++
++ const int SubWidthC = sps->SubWidthC;
++--- a/libde265/slice.cc
+++++ b/libde265/slice.cc
++@@ -384,7 +384,7 @@
++ return DE265_OK;
++ }
++
++- pps = ctx->get_pps(slice_pic_parameter_set_id);
+++ pps = ctx->get_shared_pps(slice_pic_parameter_set_id);
++
++ const seq_parameter_set* sps = pps->sps;
++ if (!sps->sps_read) {
++@@ -872,7 +872,7 @@
++ }
++
++
++- compute_derived_values(pps);
+++ compute_derived_values(pps.get());
++
++ *continueDecoding = true;
++ return DE265_OK;
++--- a/libde265/slice.h
+++++ b/libde265/slice.h
++@@ -33,6 +33,7 @@
++
++ #include <vector>
++ #include <string.h>
+++#include <memory>
++
++ #define MAX_NUM_REF_PICS 16
++
++@@ -145,7 +146,7 @@
++
++
++ int slice_index; // index through all slices in a picture (internal only)
++- const pic_parameter_set* pps;
+++ std::shared_ptr<const pic_parameter_set> pps;
++
++
++ char first_slice_segment_in_pic_flag;
--- /dev/null
--- /dev/null
++Description: Only export symbols defined in the decoder API.
++ The encoder API is not final yet, so upstream exports all symbols to make
++ development easier. For packaging we only want to expose the public API.
++Author: Joachim Bauch <bauch@struktur.de>
++--- a/libde265/encoder/Makefile.am
+++++ b/libde265/encoder/Makefile.am
++@@ -10,6 +10,18 @@
++ encpicbuf.h encpicbuf.cc \
++ sop.h sop.cc
++
+++libde265_encoder_la_CFLAGS = \
+++ $(CFLAG_VISIBILITY) \
+++ -DLIBDE265_EXPORTS
+++libde265_encoder_la_CXXFLAGS += \
+++ $(CFLAG_VISIBILITY) \
+++ -DLIBDE265_EXPORTS
+++
+++if HAVE_VISIBILITY
+++ libde265_encoder_la_CFLAGS += -DHAVE_VISIBILITY
+++ libde265_encoder_la_CXXFLAGS += -DHAVE_VISIBILITY
+++endif
+++
++ SUBDIRS=algo
++ libde265_encoder_la_LIBADD = algo/libde265_encoder_algo.la
++
++--- a/libde265/encoder/algo/Makefile.am
+++++ b/libde265/encoder/algo/Makefile.am
++@@ -17,5 +17,13 @@
++ tb-rateestim.h tb-rateestim.cc \
++ pb-mv.h pb-mv.cc
++
+++libde265_encoder_algo_la_CXXFLAGS += \
+++ $(CFLAG_VISIBILITY) \
+++ -DLIBDE265_EXPORTS
+++
+++if HAVE_VISIBILITY
+++ libde265_encoder_algo_la_CXXFLAGS += -DHAVE_VISIBILITY
+++endif
+++
++ EXTRA_DIST = \
++ CMakeLists.txt
++--- a/configure.ac
+++++ b/configure.ac
++@@ -50,9 +50,7 @@
++ fi
++ changequote([,])dnl
++
++-dnl gl_VISIBILITY
++-dnl : In encoder branch, we still export all library symbols :
++-HAVE_VISIBILITY=0
+++gl_VISIBILITY
++ AM_CONDITIONAL([HAVE_VISIBILITY], [test "x$HAVE_VISIBILITY" != "x0"])
++
++ # Checks for header files.
++--- a/libde265/image-io.cc
+++++ b/libde265/image-io.cc
++@@ -183,7 +183,7 @@
++ }
++
++
++-LIBDE265_API PacketSink_File::~PacketSink_File()
+++PacketSink_File::~PacketSink_File()
++ {
++ if (mFH) {
++ fclose(mFH);
++@@ -191,7 +191,7 @@
++ }
++
++
++-LIBDE265_API void PacketSink_File::set_filename(const char* filename)
+++void PacketSink_File::set_filename(const char* filename)
++ {
++ assert(mFH==NULL);
++
++@@ -199,7 +199,7 @@
++ }
++
++
++-LIBDE265_API void PacketSink_File::send_packet(const uint8_t* data, int n)
+++void PacketSink_File::send_packet(const uint8_t* data, int n)
++ {
++ uint8_t startCode[3];
++ startCode[0] = 0;
++--- a/libde265/image-io.h
+++++ b/libde265/image-io.h
++@@ -30,17 +30,17 @@
++ class ImageSource
++ {
++ public:
++- LIBDE265_API ImageSource();
++- virtual LIBDE265_API ~ImageSource() { }
+++ ImageSource();
+++ virtual ~ImageSource() { }
++
++ //enum ImageStatus { Available, Waiting, EndOfVideo };
++
++ //virtual ImageStatus get_status() = 0;
++- virtual LIBDE265_API de265_image* get_image(bool block=true) = 0;
++- virtual LIBDE265_API void skip_frames(int n) = 0;
+++ virtual de265_image* get_image(bool block=true) = 0;
+++ virtual void skip_frames(int n) = 0;
++
++- virtual LIBDE265_API int get_width() const = 0;
++- virtual LIBDE265_API int get_height() const = 0;
+++ virtual int get_width() const = 0;
+++ virtual int get_height() const = 0;
++ };
++
++
++@@ -48,17 +48,17 @@
++ class ImageSource_YUV : public ImageSource
++ {
++ public:
++- LIBDE265_API ImageSource_YUV();
++- virtual LIBDE265_API ~ImageSource_YUV();
+++ ImageSource_YUV();
+++ virtual ~ImageSource_YUV();
++
++- bool LIBDE265_API set_input_file(const char* filename, int w,int h);
+++ bool set_input_file(const char* filename, int w,int h);
++
++ //virtual ImageStatus get_status();
++- virtual LIBDE265_API de265_image* get_image(bool block=true);
++- virtual LIBDE265_API void skip_frames(int n);
+++ virtual de265_image* get_image(bool block=true);
+++ virtual void skip_frames(int n);
++
++- virtual LIBDE265_API int get_width() const { return width; }
++- virtual LIBDE265_API int get_height() const { return height; }
+++ virtual int get_width() const { return width; }
+++ virtual int get_height() const { return height; }
++
++ private:
++ FILE* mFH;
++@@ -74,20 +74,20 @@
++ class ImageSink
++ {
++ public:
++- virtual LIBDE265_API ~ImageSink() { }
+++ virtual ~ImageSink() { }
++
++- virtual LIBDE265_API void send_image(const de265_image* img) = 0;
+++ virtual void send_image(const de265_image* img) = 0;
++ };
++
++ class ImageSink_YUV : public ImageSink
++ {
++ public:
++- LIBDE265_API ImageSink_YUV() : mFH(NULL) { }
++- LIBDE265_API ~ImageSink_YUV();
+++ ImageSink_YUV() : mFH(NULL) { }
+++ ~ImageSink_YUV();
++
++- bool LIBDE265_API set_filename(const char* filename);
+++ bool set_filename(const char* filename);
++
++- virtual LIBDE265_API void send_image(const de265_image* img);
+++ virtual void send_image(const de265_image* img);
++
++ private:
++ FILE* mFH;
++@@ -98,21 +98,21 @@
++ class PacketSink
++ {
++ public:
++- virtual LIBDE265_API ~PacketSink() { }
+++ virtual ~PacketSink() { }
++
++- virtual LIBDE265_API void send_packet(const uint8_t* data, int n) = 0;
+++ virtual void send_packet(const uint8_t* data, int n) = 0;
++ };
++
++
++ class PacketSink_File : public PacketSink
++ {
++ public:
++- LIBDE265_API PacketSink_File();
++- virtual LIBDE265_API ~PacketSink_File();
+++ PacketSink_File();
+++ virtual ~PacketSink_File();
++
++- LIBDE265_API void set_filename(const char* filename);
+++ void set_filename(const char* filename);
++
++- virtual LIBDE265_API void send_packet(const uint8_t* data, int n);
+++ virtual void send_packet(const uint8_t* data, int n);
++
++ private:
++ FILE* mFH;
++--- a/libde265/configparam.h
+++++ b/libde265/configparam.h
++@@ -95,7 +95,7 @@
++ bool hasLongOption() const { return true; } //mLongOption!=NULL; }
++ std::string getLongOption() const { return mLongOption ? std::string(mLongOption) : get_name(); }
++
++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx) { return false; }
+++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx) { return false; }
++
++
++
++@@ -132,7 +132,7 @@
++ virtual std::string get_default_string() const { return default_value ? "true":"false"; }
++
++ virtual std::string getTypeDescr() const { return "(boolean)"; }
++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx) { set(true); return true; }
+++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx) { set(true); return true; }
++
++ bool set(bool v) { value_set=true; value=v; return true; }
++
++@@ -162,10 +162,10 @@
++ virtual bool has_default() const { return default_set; }
++
++ void set_default(std::string v) { default_value=v; default_set=true; }
++- virtual LIBDE265_API std::string get_default_string() const { return default_value; }
+++ virtual std::string get_default_string() const { return default_value; }
++
++- virtual LIBDE265_API std::string getTypeDescr() const { return "(string)"; }
++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx);
+++ virtual std::string getTypeDescr() const { return "(string)"; }
+++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx);
++
++ bool set(std::string v) { value_set=true; value=v; return true; }
++
++@@ -201,10 +201,10 @@
++ virtual bool has_default() const { return default_set; }
++
++ void set_default(int v) { default_value=v; default_set=true; }
++- virtual LIBDE265_API std::string get_default_string() const;
+++ virtual std::string get_default_string() const;
++
++- virtual LIBDE265_API std::string getTypeDescr() const;
++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx);
+++ virtual std::string getTypeDescr() const;
+++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx);
++
++ bool set(int v) {
++ if (is_valid(v)) { value_set=true; value=v; return true; }
++@@ -239,7 +239,7 @@
++ virtual std::vector<std::string> get_choice_names() const = 0;
++
++ virtual std::string getTypeDescr() const;
++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx);
+++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx);
++
++ const char** get_choices_string_table() const;
++
++@@ -368,10 +368,10 @@
++ config_parameters() : param_string_table(NULL) { }
++ ~config_parameters() { delete[] param_string_table; }
++
++- void LIBDE265_API add_option(option_base* o);
+++ void add_option(option_base* o);
++
++- void LIBDE265_API print_params() const;
++- bool LIBDE265_API parse_command_line_params(int* argc, char** argv, int* first_idx=NULL,
+++ void print_params() const;
+++ bool parse_command_line_params(int* argc, char** argv, int* first_idx=NULL,
++ bool ignore_unknown_options=false);
++
++
++--- a/libde265/quality.h
+++++ b/libde265/quality.h
++@@ -26,11 +26,11 @@
++ #include <libde265/image.h>
++
++
++-LIBDE265_API uint32_t SSD(const uint8_t* img, int imgStride,
+++uint32_t SSD(const uint8_t* img, int imgStride,
++ const uint8_t* ref, int refStride,
++ int width, int height);
++
++-LIBDE265_API uint32_t SAD(const uint8_t* img, int imgStride,
+++uint32_t SAD(const uint8_t* img, int imgStride,
++ const uint8_t* ref, int refStride,
++ int width, int height);
++
++@@ -41,7 +41,7 @@
++ LIBDE265_API double PSNR(double mse);
++
++
++-LIBDE265_API uint32_t compute_distortion_ssd(const de265_image* img1, const de265_image* img2,
+++uint32_t compute_distortion_ssd(const de265_image* img1, const de265_image* img2,
++ int x0, int y0, int log2size, int cIdx);
++
++ #endif
--- /dev/null
--- /dev/null
++Description: Don't update sps if they are only repeated
++Origin: https://github.com/strukturag/libde265/pull/372
++From 51f07f132f29832e025a8b913b61cbd20257c5fc Mon Sep 17 00:00:00 2001
++From: Tobias Frost <tobi@debian.org>
++Date: Fri, 13 Jan 2023 12:22:45 +0100
++Subject: [PATCH] Don't update sps if they are only repeated
++
++This is an attempt to improve the mitigations from #365 and #366 and picks up an idea I described at #345:
++
++> One way would be just to look at the pointers of the SPS (fast and easy, but
++> may reject more than required), or investigate if the SPS used for the image
++> generations are "compatible".
++
++This changes do exactly this: It (very conservativly) checks if the old and new sps have
++identical information -- except the reference picture set, which I believe is supposed
++to be updated by new sps'). If they are basically identical, the old sps will be
++used instead of the new one, (of course, reference image set is updated from the new one)
++
++I'm using standalone operator== and helper functions to avoid changing ABI of the library;
++if an ABI bump would be done, of course this should go to the respective classes.
++---
++ libde265/decctx.cc | 273 +++++++++++++++++++++++++++++++++++++++++++++
++ libde265/sps.cc | 6 +
++ 2 files changed, 279 insertions(+)
++
++--- a/libde265/decctx.cc
+++++ b/libde265/decctx.cc
++@@ -545,6 +545,219 @@
++ return DE265_OK;
++ }
++
+++// implemented as freestanding functions to avoid changing API
+++
+++bool operator==(const profile_data &lhs, const profile_data &rhs) {
+++ if(&lhs == &rhs) return true;
+++ if(lhs.profile_present_flag != rhs.profile_present_flag ) return false;
+++ if(lhs.profile_present_flag) {
+++ if(lhs.profile_space != rhs.profile_space ) return false;
+++ if(lhs.tier_flag != rhs.tier_flag ) return false;
+++ if(lhs.profile_idc != rhs.profile_idc ) return false;
+++
+++ if(memcmp(lhs.profile_compatibility_flag, rhs.profile_compatibility_flag, sizeof(rhs.profile_compatibility_flag)) ) return false;
+++
+++ if(lhs.progressive_source_flag != rhs.progressive_source_flag ) return false;
+++ if(lhs.interlaced_source_flag != rhs.interlaced_source_flag ) return false;
+++ if(lhs.non_packed_constraint_flag != rhs.non_packed_constraint_flag ) return false;
+++ if(lhs.frame_only_constraint_flag != rhs.frame_only_constraint_flag ) return false;
+++ }
+++
+++ if(lhs.level_present_flag != rhs.level_present_flag) return false;
+++ if(lhs.level_present_flag && lhs.level_idc != rhs.level_idc ) return false;
+++
+++ return true;
+++}
+++
+++bool operator!=(const profile_data &lhs, const profile_data &rhs) {
+++ if(&lhs == &rhs) return false;
+++ return (!(lhs==rhs));
+++}
+++
+++// class does not store max_sub_layers, so operator == cannot be done.
+++bool isEqual(const profile_tier_level &lhs , const profile_tier_level &rhs, int sps_max_sub_layers ) {
+++ if(&lhs == &rhs) return true;
+++
+++ if(lhs.general != rhs.general ) return false;
+++ for(int i = 0 ; i < sps_max_sub_layers; i++ ) {
+++ if(lhs.sub_layer[i] != rhs.sub_layer[i]) return false;
+++ }
+++ return true;
+++}
+++
+++bool isEqual(const video_usability_information &lhs, const video_usability_information &rhs, const seq_parameter_set &sps) {
+++ if(&lhs == &rhs) return true;
+++
+++ // not seen yet if(lhs.nal_hrd_parameters_present_flag != rhs.nal_hrd_parameters_present_flag ) return false;
+++
+++ // populated by video_usability_information::read()
+++ if(lhs.aspect_ratio_info_present_flag != rhs.aspect_ratio_info_present_flag ) return false;
+++ if(lhs.aspect_ratio_info_present_flag) {
+++ if(lhs.sar_width != rhs.sar_width ) return false;
+++ if(lhs.sar_height != rhs.sar_height ) return false;
+++ }
+++
+++ if(lhs.overscan_info_present_flag != rhs.overscan_info_present_flag ) return false;
+++ if(lhs.overscan_info_present_flag) {
+++ if(lhs.overscan_appropriate_flag != rhs.overscan_appropriate_flag ) return false;
+++ }
+++
+++ if(lhs.video_signal_type_present_flag != rhs.video_signal_type_present_flag ) return false;
+++ if(lhs.video_signal_type_present_flag) {
+++ if(lhs.video_format != rhs.video_format ) return false;
+++ if(lhs.video_full_range_flag != rhs.video_full_range_flag) return false;
+++ if(lhs.colour_description_present_flag != rhs.colour_description_present_flag) return false;
+++ if(lhs.colour_primaries != rhs.colour_primaries ) return false;
+++ if(lhs.transfer_characteristics != rhs.transfer_characteristics ) return false;
+++ if(lhs.matrix_coeffs != rhs.matrix_coeffs ) return false;
+++ }
+++
+++ if(lhs.chroma_loc_info_present_flag != rhs.chroma_loc_info_present_flag ) return false;
+++ if(lhs.chroma_loc_info_present_flag) {
+++ if(lhs.chroma_sample_loc_type_top_field != rhs.chroma_sample_loc_type_top_field ) return false;
+++ if(lhs.chroma_sample_loc_type_bottom_field != rhs.chroma_sample_loc_type_bottom_field ) return false;
+++ }
+++ if(lhs.neutral_chroma_indication_flag != rhs.neutral_chroma_indication_flag ) return false;
+++ if(lhs.field_seq_flag != rhs.field_seq_flag ) return false;
+++ if(lhs.frame_field_info_present_flag != rhs.frame_field_info_present_flag ) return false;
+++
+++ if(lhs.default_display_window_flag != rhs.default_display_window_flag ) return false;
+++ if(lhs.default_display_window_flag) {
+++ if(lhs.def_disp_win_left_offset != rhs.def_disp_win_left_offset ) return false;
+++ if(lhs.def_disp_win_right_offset != rhs.def_disp_win_right_offset ) return false;
+++ if(lhs.def_disp_win_top_offset != rhs.def_disp_win_top_offset ) return false;
+++ if(lhs.def_disp_win_bottom_offset != rhs.def_disp_win_bottom_offset ) return false;
+++ }
+++
+++ if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false;
+++ if(lhs.vui_timing_info_present_flag) {
+++ if(lhs.vui_num_units_in_tick != rhs.vui_num_units_in_tick ) return false;
+++ if(lhs.vui_time_scale != rhs.vui_time_scale ) return false;
+++ if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false;
+++ if(lhs.vui_timing_info_present_flag) {
+++ if(lhs.vui_num_ticks_poc_diff_one != rhs.vui_num_ticks_poc_diff_one ) return false;
+++ }
+++ }
+++
+++ if(lhs.bitstream_restriction_flag != rhs.bitstream_restriction_flag ) return false;
+++ if(lhs.tiles_fixed_structure_flag != rhs.tiles_fixed_structure_flag ) return false;
+++ if(lhs.motion_vectors_over_pic_boundaries_flag != rhs.motion_vectors_over_pic_boundaries_flag ) return false;
+++ if(lhs.restricted_ref_pic_lists_flag != rhs.restricted_ref_pic_lists_flag ) return false;
+++ if(lhs.min_spatial_segmentation_idc != rhs.min_spatial_segmentation_idc ) return false;
+++ if(lhs.max_bytes_per_pic_denom != rhs.max_bytes_per_pic_denom ) return false;
+++ if(lhs.max_bits_per_min_cu_denom != rhs.max_bits_per_min_cu_denom ) return false;
+++ if(lhs.log2_max_mv_length_horizontal != rhs.log2_max_mv_length_horizontal ) return false;
+++ if(lhs.log2_max_mv_length_vertical != rhs.log2_max_mv_length_vertical ) return false;
+++
+++ return true;
+++}
+++
+++bool operator==(const sps_range_extension &lhs, const sps_range_extension &rhs) {
+++ if(&lhs == &rhs) return true;
+++ if(lhs.transform_skip_rotation_enabled_flag != rhs.transform_skip_rotation_enabled_flag ) return false;
+++ if(lhs.transform_skip_context_enabled_flag != rhs.transform_skip_context_enabled_flag ) return false;
+++ if(lhs.implicit_rdpcm_enabled_flag != rhs.implicit_rdpcm_enabled_flag ) return false;
+++ if(lhs.explicit_rdpcm_enabled_flag != rhs.explicit_rdpcm_enabled_flag ) return false;
+++ if(lhs.extended_precision_processing_flag != rhs.extended_precision_processing_flag ) return false;
+++ if(lhs.intra_smoothing_disabled_flag != rhs.intra_smoothing_disabled_flag ) return false;
+++ if(lhs.high_precision_offsets_enabled_flag != rhs.high_precision_offsets_enabled_flag ) return false;
+++ if(lhs.persistent_rice_adaptation_enabled_flag != rhs.persistent_rice_adaptation_enabled_flag ) return false;
+++ if(lhs.cabac_bypass_alignment_enabled_flag != rhs.cabac_bypass_alignment_enabled_flag ) return false;
+++ return true;
+++}
+++
+++bool operator!=(const sps_range_extension &lhs, const sps_range_extension &rhs) {
+++ if(&lhs == &rhs) return false;
+++ return !(lhs==rhs);
+++}
+++
+++
+++bool operator==(const seq_parameter_set &lhs, const seq_parameter_set &rhs) {
+++
+++ if(&lhs== &rhs) return true;
+++
+++ if(lhs.sps_read != rhs.sps_read) return false;
+++
+++ if(lhs.video_parameter_set_id != rhs.video_parameter_set_id) return false;
+++ if(lhs.sps_max_sub_layers != rhs.sps_max_sub_layers) return false;
+++ if(lhs.sps_temporal_id_nesting_flag != rhs.sps_temporal_id_nesting_flag) return false;
+++
+++ if(!isEqual(lhs.profile_tier_level_, rhs.profile_tier_level_, lhs.sps_max_sub_layers)) return false;
+++
+++ if(lhs.seq_parameter_set_id != rhs.seq_parameter_set_id) return false;
+++ if(lhs.chroma_format_idc != rhs.chroma_format_idc) return false;
+++
+++ if(lhs.separate_colour_plane_flag != rhs.separate_colour_plane_flag) return false;
+++ if(lhs.pic_width_in_luma_samples != rhs.pic_width_in_luma_samples) return false;
+++ if(lhs.pic_height_in_luma_samples != rhs.pic_height_in_luma_samples) return false;
+++ if(lhs.conformance_window_flag != rhs.conformance_window_flag) return false;
+++
+++ if(lhs.conformance_window_flag) {
+++ if(lhs.conf_win_left_offset != rhs.conf_win_left_offset) return false;
+++ if(lhs.conf_win_right_offset != rhs.conf_win_right_offset) return false;
+++ if(lhs.conf_win_top_offset != rhs.conf_win_top_offset) return false;
+++ if(lhs.conf_win_bottom_offset != rhs.conf_win_bottom_offset) return false;
+++ }
+++
+++ if(lhs.bit_depth_luma != rhs.bit_depth_luma) return false;
+++ if(lhs.bit_depth_chroma != rhs.bit_depth_chroma) return false;
+++
+++ if(lhs.log2_max_pic_order_cnt_lsb != rhs.log2_max_pic_order_cnt_lsb) return false;
+++ if(lhs.sps_sub_layer_ordering_info_present_flag != rhs.sps_sub_layer_ordering_info_present_flag) return false;
+++
+++ if(memcmp(lhs.sps_max_dec_pic_buffering, rhs.sps_max_dec_pic_buffering, sizeof(rhs.sps_max_dec_pic_buffering))) return false;
+++ if(memcmp(lhs.sps_max_num_reorder_pics, rhs.sps_max_num_reorder_pics, sizeof(rhs.sps_max_num_reorder_pics))) return false;
+++ if(memcmp(lhs.sps_max_latency_increase_plus1, rhs.sps_max_latency_increase_plus1, sizeof(rhs.sps_max_latency_increase_plus1))) return false;
+++
+++ if(lhs.log2_min_luma_coding_block_size != rhs.log2_min_luma_coding_block_size) return false;
+++ if(lhs.log2_diff_max_min_luma_coding_block_size != rhs.log2_diff_max_min_luma_coding_block_size) return false;
+++ if(lhs.log2_min_transform_block_size != rhs.log2_min_transform_block_size) return false;
+++ if(lhs.log2_diff_max_min_transform_block_size != rhs.log2_diff_max_min_transform_block_size) return false;
+++ if(lhs.max_transform_hierarchy_depth_inter != rhs.max_transform_hierarchy_depth_inter) return false;
+++ if(lhs.max_transform_hierarchy_depth_intra != rhs.max_transform_hierarchy_depth_intra) return false;
+++
+++ if(lhs.scaling_list_enable_flag != rhs.scaling_list_enable_flag) return false;
+++ if(lhs.scaling_list_enable_flag) {
+++ if(lhs.sps_scaling_list_data_present_flag != rhs.sps_scaling_list_data_present_flag) return false;
+++ if(lhs.sps_scaling_list_data_present_flag) {
+++ // compare only needed if present, otherwise it is the default scaling list.
+++ if(memcmp(&lhs.scaling_list, &rhs.scaling_list, sizeof(rhs.scaling_list))) return false;
+++ }
+++ }
+++
+++ if(lhs.amp_enabled_flag != rhs.amp_enabled_flag) return false;
+++ if(lhs.sample_adaptive_offset_enabled_flag != rhs.sample_adaptive_offset_enabled_flag) return false;
+++ if(lhs.pcm_enabled_flag != rhs.pcm_enabled_flag) return false;
+++
+++ if(lhs.pcm_enabled_flag) {
+++ if(lhs.pcm_sample_bit_depth_luma != rhs.pcm_sample_bit_depth_luma) return false;
+++ if(lhs.pcm_sample_bit_depth_chroma != rhs.pcm_sample_bit_depth_chroma) return false;
+++ if(lhs.log2_min_pcm_luma_coding_block_size != rhs.log2_min_pcm_luma_coding_block_size) return false;
+++ if(lhs.log2_diff_max_min_pcm_luma_coding_block_size != rhs.log2_diff_max_min_pcm_luma_coding_block_size) return false;
+++ if(lhs.pcm_loop_filter_disable_flag != rhs.pcm_loop_filter_disable_flag) return false;
+++ }
+++
+++ // (longterm) reference pics likely to change with a new sps, so ignored here.
+++
+++ if(lhs.sps_temporal_mvp_enabled_flag != rhs.sps_temporal_mvp_enabled_flag) return false;
+++ if(lhs.strong_intra_smoothing_enable_flag != rhs.strong_intra_smoothing_enable_flag) return false;
+++
+++ if(lhs.vui_parameters_present_flag != rhs.vui_parameters_present_flag) return false;
+++ if(lhs.vui_parameters_present_flag) {
+++ if(!isEqual(lhs.vui, rhs.vui, lhs )) return false;
+++ }
+++
+++ if(lhs.sps_extension_present_flag != rhs.sps_extension_present_flag ) return false;
+++ if(lhs.sps_extension_present_flag) {
+++ if(lhs.sps_range_extension_flag != rhs.sps_range_extension_flag ) return false;
+++ if(lhs.sps_multilayer_extension_flag != rhs.sps_multilayer_extension_flag ) return false;
+++ if(lhs.sps_extension_6bits != rhs.sps_extension_6bits ) return false;
+++ if(lhs.range_extension != rhs.range_extension) return false;
+++ }
+++
+++ return true;
+++}
+++
++ de265_error decoder_context::read_sps_NAL(bitreader& reader)
++ {
++ logdebug(LogHeaders,"----> read SPS\n");
++@@ -560,6 +773,22 @@
++ new_sps->dump(param_sps_headers_fd);
++ }
++
+++ if ( sps[ new_sps->seq_parameter_set_id ] ) {
+++ auto old_sps = sps[ new_sps->seq_parameter_set_id ].get();
+++ if ( *old_sps == *new_sps ) {
+++ // printf(" **** keeping sps *****\n");
+++ // the new sps is identical to the old one, so no replacing needed.
+++ // however, reference pics and long-term reference pics might need updating.
+++ old_sps->ref_pic_sets = new_sps->ref_pic_sets;
+++ old_sps->long_term_ref_pics_present_flag = new_sps->long_term_ref_pics_present_flag;
+++ memcpy(old_sps->lt_ref_pic_poc_lsb_sps, new_sps->lt_ref_pic_poc_lsb_sps, sizeof(old_sps->lt_ref_pic_poc_lsb_sps));
+++ memcpy(old_sps->used_by_curr_pic_lt_sps_flag, new_sps->used_by_curr_pic_lt_sps_flag, sizeof(old_sps->used_by_curr_pic_lt_sps_flag));
+++ return DE265_OK;
+++ }
+++ //printf(" **** replacing sps *****\n");
+++
+++ }
+++
++ sps[ new_sps->seq_parameter_set_id ] = new_sps;
++
++ // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to
++--- a/libde265/sps.cc
+++++ b/libde265/sps.cc
++@@ -282,6 +282,11 @@
++ int firstLayer = (sps_sub_layer_ordering_info_present_flag ?
++ 0 : sps_max_sub_layers-1 );
++
+++ // zero out so that comparing is easier.
+++ memset(sps_max_dec_pic_buffering, 0 , sizeof(sps_max_dec_pic_buffering));
+++ memset(sps_max_num_reorder_pics, 0 , sizeof(sps_max_num_reorder_pics));
+++ memset(sps_max_latency_increase_plus1, 0 , sizeof(sps_max_latency_increase_plus1));
+++
++ for (int i=firstLayer ; i <= sps_max_sub_layers-1; i++ ) {
++
++ // sps_max_dec_pic_buffering[i]
++@@ -342,6 +347,7 @@
++ if (sps_scaling_list_data_present_flag) {
++
++ de265_error err;
+++ memset(&scaling_list, 0 , sizeof(scaling_list)); // zero out, so that memcmp will do it to check for equality.
++ if ((err=read_scaling_list(br,this, &scaling_list, false)) != DE265_OK) {
++ return err;
++ }
--- /dev/null
--- /dev/null
++Description: Try to mitigate asan failures by rejecting reference pictures not created with the same sps.
++ The reference images might have different parameters (size, pixel depth, etc) and so different memory allocations,
++ leading to out of bound memory reads and writes.
++Origin: https://github.com/strukturag/libde265/pull/365
++Comment: Analysis of issue https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079
++From 97dd15303085eae2695a511717bf3239e209df96 Mon Sep 17 00:00:00 2001
++From: Tobias Frost <tobi@debian.org>
++Date: Mon, 12 Dec 2022 14:03:12 +0100
++Subject: [PATCH] Try to mitigate asan failures.
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++See #345 for my analysis and details…
++
++(This PR is just for discussion.)
++
++(The CVE references are obtained from the Debian security tracker,
++which links the issues.)
++
++This makes the following POCs stop failing:
++
++- poc3 (#337)
++- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2)
++- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1)
++- poc11-1, poc11-2 (#345) CVE-2022-43249
++- poc12 (#346)
++- poc13 (#347) CVE-2022-43252
++- poc16 (#350)
++---
++ libde265/motion.cc | 10 ++++++++++
++ 1 file changed, 10 insertions(+)
++
++--- a/libde265/motion.cc
+++++ b/libde265/motion.cc
++@@ -349,7 +349,17 @@
++
++ logtrace(LogMotion, "refIdx: %d -> dpb[%d]\n", vi->refIdx[l], shdr->RefPicList[l][vi->refIdx[l]]);
++
++- if (refPic->PicState == UnusedForReference) {
+++ if (refPic) {
+++ auto nonconst_refPic = const_cast<de265_image*>(refPic); /* shared_ptr.get() chokes on const.*/
+++ auto refsps = nonconst_refPic->get_shared_sps().get();
+++ auto imgsps = img->get_shared_sps().get();
+++ if(refsps != imgsps) {
+++ // rejecting reference image created with different sps.
+++ refPic = nullptr;
+++ }
+++ }
+++
+++ if (!refPic || refPic->PicState == UnusedForReference) {
++ img->integrity = INTEGRITY_DECODING_ERRORS;
++ ctx->add_warning(DE265_WARNING_NONEXISTING_REFERENCE_PICTURE_ACCESSED, false);
++
--- /dev/null
--- /dev/null
++only_export_decoder_api.patch
++disable_tools.patch
++ffmpeg_2.9.patch
++fix-invalid-memory-access.patch
++CVE-2020-21599.patch
++CVE-2021-35452.patch
++CVE-2021-36408.patch
++CVE-2021-36409.patch
++CVE-2021-36410.patch
++CVE-2021-36411.patch
++reject_reference_pics_from_different_sps.patch
++use_sps_from_the_image.patch
++recycle_sps_if_possible.patch
++check-4-negative-Q-value.patch
++CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch
++CVE-2020-21596-global-buffer-overflow.patch
++fix-use-after-free.patch
--- /dev/null
--- /dev/null
++Description: Use sps of the image, not the sps of the pic parameter set (pps)
++ When decoding a slice, all decoding functions are using the sps of the target
++ image to determine the image properties, which are in the seqquence parameter
++ set) -- execpt generate_inter_prediction_samples(), which uses the sps from the
++ pps, which might have different properties and trick the decode to out-of-bound
++ memory accesses, leading to crashes.
++Origin: https://github.com/strukturag/libde265/pull/366
++From 36391cda3d4e4fb3269a2ce310e6e0f634729f0b Mon Sep 17 00:00:00 2001
++From: Tobias Frost <tobi@debian.org>
++Date: Mon, 12 Dec 2022 14:33:40 +0100
++Subject: [PATCH] Use the sps from the image
++
++(as e.g mc_chroma is using the sps to determine
++picture properties, like pic_width_in_luma_samples
++and pic_height_in_luma_samples, I *think* this is
++more correct.
++
++This PR is for discussion. (See #345.)
++It makes the failures go away, but that does not mean it's correct :)
++
++The following poc will be stop failing if (only) this
++patch is applied:
++
++ - poc2 #336 - CVE-2022-43238
++ - poc4 #338 - CVE-2022-43241
++ - poc6-1, poc6-2 #340 - CVE-2022-43242
++ - poc7-1, poc7-2 #341 - CVE-2022-43239
++ - poc8-1 #342 - CVE-2022-43244
++ - poc9-3 #343 - CVE-2022-43236
++ - poc10-2, poc10-3 #344 - CVE-2022-43237
++ - poc16 #350
++ - poc19 #353
++
++The following are still failing if only this patch is
++applied, but they stop failing if #365 is applied as well, but will
++still fail with ONLY #365 applied (IOW, both are needed)
++
++ - poc1 #335 - CVE-2022-43240
++ - poc3 #337 - CVE-2022-43235
++ - poc5 #339 - CVE-2022-43423
++ - poc9-1,poc9-2, poc9-4 #343 - CVE-2022-43236
++ - poc14 #348 - CVE-2022-43253
++ - poc15 #349 - CVE-2022-43248
++ - poc17-1, poc17-2 #351
++ - poc18 #352 - CVE-2022-43245
++---
++ libde265/motion.cc | 2 +-
++ 1 file changed, 1 insertion(+), 1 deletion(-)
++
++--- a/libde265/motion.cc
+++++ b/libde265/motion.cc
++@@ -291,7 +291,7 @@
++ int stride[3];
++
++ const pic_parameter_set* pps = shdr->pps;
++- const seq_parameter_set* sps = pps->sps;
+++ const seq_parameter_set* sps = &img->get_sps();
++
++ const int SubWidthC = sps->SubWidthC;
++ const int SubHeightC = sps->SubHeightC;
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++#export DH_VERBOSE=1
++
++%:
++ dh $@
++
++override_dh_auto_install:
++ dh_auto_install
++ cd $(CURDIR)/debian/tmp/usr/bin/ && mv dec265 libde265-dec265
++ if [ -e "$(CURDIR)/debian/tmp/usr/bin/sherlock265" ]; then \
++ cd $(CURDIR)/debian/tmp/usr/bin/ && mv sherlock265 \
++ libde265-sherlock265; \
++ fi
++
++override_dh_strip:
++ dh_strip --ddeb-migration='libde265-dbg (<< 1.0.2-2~)'
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++version=3
++opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/libde265-$1\.tar\.gz/,\
++downloadurlmangle=s/.+\/v?(\d\S*)\.tar\.gz/https:\/\/github\.com\/strukturag\/libde265\/releases\/download\/v$1\/libde265-$1\.tar\.gz/ \
++ https://github.com/strukturag/libde265/tags .*/v?(\d\S*)\.tar\.gz
projects / libde265.git / commitdiff