From: Dirk Farin <dirk.farin@gmail.com>
Date: Sat, 4 Mar 2023 09:27:59 +0000 (+0100)
Subject: [PATCH] check for valid slice header index access (fixes #394)
X-Git-Tag: archive/raspbian/1.0.11-0+deb10u5+rpi1^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6fdc1a3a958ed3eb1c27d964a4ac7ede22794975;p=libde265.git

[PATCH] check for valid slice header index access (fixes #394)


Gbp-Pq: Name CVE-2023-27103.patch
---

diff --git a/libde265/de265.cc b/libde265/de265.cc
index ab96e77..6ff0191 100644
--- a/libde265/de265.cc
+++ b/libde265/de265.cc
@@ -174,6 +174,8 @@ LIBDE265_API const char* de265_get_error_text(de265_error err)
     return "Bit-depth of current image does not match SPS";
   case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
     return "Chroma format of reference image does not match current image";
+  case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
+    return "Access with invalid slice header index";
 
   default: return "unknown error";
   }
diff --git a/libde265/de265.h b/libde265/de265.h
index 51147cc..b160be4 100644
--- a/libde265/de265.h
+++ b/libde265/de265.h
@@ -145,7 +145,8 @@ typedef enum {
   DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
   DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
   DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
-  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
+  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
+  DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
 } de265_error;
 
 LIBDE265_API const char* de265_get_error_text(de265_error err);
diff --git a/libde265/motion.cc b/libde265/motion.cc
index 5c47404..f33e23f 100644
--- a/libde265/motion.cc
+++ b/libde265/motion.cc
@@ -1266,6 +1266,16 @@ void derive_collocated_motion_vectors(base_context* ctx,
 
 
 
+  int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
+  if (slice_hdr_idx >= colImg->slices.size()) {
+    ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
+
+    *out_availableFlagLXCol = 0;
+    out_mvLXCol->x = 0;
+    out_mvLXCol->y = 0;
+    return;
+  }
+
   const slice_segment_header* colShdr = colImg->slices[ colImg->get_SliceHeaderIndex(xColPb,yColPb) ];
 
   if (shdr->LongTermRefPic[X][refIdxLX] !=