From: Dirk Farin <dirk.farin@gmail.com>
Date: Tue, 5 Apr 2022 07:52:57 +0000 (+0200)
Subject: [PATCH] error on out-of-range cpb_cnt_minus1 (oss-fuzz issue 27590)
X-Git-Tag: archive/raspbian/1.0.8-1.1+rpi1^2~6
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=95ff5472e83250b054272da079fb80bec8cee27f;p=libde265.git

[PATCH] error on out-of-range cpb_cnt_minus1 (oss-fuzz issue 27590)


Gbp-Pq: Name 0001-CVE-2022-1253.patch
---

diff --git a/libde265/sps.cc b/libde265/sps.cc
index 47c157a..387ea75 100644
--- a/libde265/sps.cc
+++ b/libde265/sps.cc
@@ -425,7 +425,10 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
 
   vui_parameters_present_flag = get_bits(br,1);
   if (vui_parameters_present_flag) {
-    vui.read(errqueue, br, this);
+    de265_error err = vui.read(errqueue, br, this);
+    if (err) {
+      return err;
+    }
   }
 
 
diff --git a/libde265/vui.cc b/libde265/vui.cc
index b5f46ac..76086ff 100644
--- a/libde265/vui.cc
+++ b/libde265/vui.cc
@@ -201,6 +201,9 @@ de265_error video_usability_information::hrd_parameters(error_queue* errqueue, b
     if (!low_delay_hrd_flag[i])
     {
       READ_VLC_OFFSET(cpb_cnt_minus1[i], uvlc, 0);
+      if (cpb_cnt_minus1[i] > 31) {
+	return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
+      }
     }
 
     for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++)
@@ -361,6 +364,9 @@ de265_error video_usability_information::read(error_queue* errqueue, bitreader*
     if (vui_hrd_parameters_present_flag) {
       de265_error err;
       err = hrd_parameters(errqueue, br, sps);
+      if (err) {
+	return err;
+      }
     }
   }