From: Tobias Frost Date: Tue, 24 Jan 2023 21:39:16 +0000 (+0000) Subject: libde265 (1.0.3-1+deb10u3) buster-security; urgency=medium X-Git-Tag: archive/raspbian/1.0.3-1+rpi1+deb10u3^2~18 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=f14baa016bb13b25c21e7e6d09706a1119e4ec31;p=libde265.git libde265 (1.0.3-1+deb10u3) buster-security; urgency=medium * Non-maintainer upload by the LTS Security Team. * Source-only upload. (Last upload was accidentially a binary-upload) [dgit import unpatched libde265 1.0.3-1+deb10u3] --- f14baa016bb13b25c21e7e6d09706a1119e4ec31 diff --cc debian/.gitlab-ci.yml index 0000000,0000000..eff1842 new file mode 100644 --- /dev/null +++ b/debian/.gitlab-ci.yml @@@ -1,0 -1,0 +1,8 @@@ ++include: ++ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml ++ ++variables: ++ RELEASE: 'buster' ++ SALSA_CI_COMPONENTS: 'main contrib non-free' ++ SALSA_CI_DISABLE_REPROTEST: 1 ++ SALSA_CI_DISABLE_LINTIAN: 1 diff --cc debian/changelog index 0000000,0000000..6c4c2e7 new file mode 100644 --- /dev/null +++ b/debian/changelog @@@ -1,0 -1,0 +1,102 @@@ ++libde265 (1.0.3-1+deb10u3) buster-security; urgency=medium ++ ++ * Non-maintainer upload by the LTS Security Team. ++ * Source-only upload. (Last upload was accidentially a binary-upload) ++ ++ -- Tobias Frost Tue, 24 Jan 2023 22:39:16 +0100 ++ ++libde265 (1.0.3-1+deb10u2) buster-security; urgency=medium ++ ++ * Non-maintainer upload by the LTS Security Team. ++ * Add patches: ++ - reject_reference_pics_from_different_sps.patch ++ - use_sps_from_the_image.patch ++ - recycle_sps_if_possible.patch ++ * Cherry-pick additional patches from upstream: ++ check-4-negative-Q-value.patch ++ CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch ++ * Add patch "fix-invalid-memory-access.patch" to avoid out-of-bound ++ array access leading to crashes. ++ * Add patch CVE-2020-21596-global-buffer-overflow.patch ++ * Add patch to avoid use-after-free problems. ++ * Cumulative, the patches are fixing: ++ CVE-2020-21596, CVE-2020-21597, CVE-2020-21598, CVE-2022-43235, ++ CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, CVE-2022-43239, ++ CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, CVE-2022-43243, ++ CVE-2022-43244, CVE-2022-43245, CVE-2022-43248, CVE-2022-43249, ++ CVE-2022-43250, CVE-2022-43252, CVE-2022-43253, CVE-2022-47655. ++ (Closes: #1029357, #1029397, #1025816, #1027179) ++ * Amend changelog of 1.0.3-1+deb10u1, as it turned out that the ++ fix for CVE 2020-51999 and CVE 2021-36408 fixed other issues too. ++ ++ -- Tobias Frost Tue, 24 Jan 2023 21:42:47 +0100 ++ ++libde265 (1.0.3-1+deb10u1) buster-security; urgency=medium ++ ++ * Non-maintainer upload by the LTS Security Team. ++ * Cherry-pick upstream patches for: ++ - CVE-2020-21599 (Closes #1014999) ++ - CVE-2021-35452, CVE-2021-36408, CVE-2021-36409, CVE-2021-36410 and ++ CVE-2021-36411 (Closes: #1014977) ++ * The fix for CVE-2020-21599 also fixed: ++ CVE-2020-21595, CVE-2020-21600, CVE-2020-21601, CVE-2020-21602, ++ CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606 ++ * The fix for CVE-2021-36408 also fixed: ++ CVE-2020-21597, CVE-2020-21598. (Closes: #1004963) ++ ++ -- Tobias Frost Thu, 15 Dec 2022 17:40:12 +0100 ++ ++libde265 (1.0.3-1) unstable; urgency=medium ++ ++ [ Ondřej Nový ] ++ * d/copyright: Use https protocol in Format field ++ * d/control: Set Vcs-* to salsa.debian.org ++ ++ [ Felipe Sateler ] ++ * Change maintainer address to debian-multimedia@lists.debian.org ++ ++ [ Joachim Bauch ] ++ * Imported Upstream version 1.0.3 ++ * Update patches for new upstream version. ++ * Update symbols for new upstream version. ++ * Update standards version and switch to debhelper 10. ++ ++ -- Joachim Bauch Thu, 19 Apr 2018 11:44:40 +0200 ++ ++libde265 (1.0.2-2) unstable; urgency=low ++ ++ [ Joachim Bauch ] ++ * Added patch by Andreas Cadhalpun to fix compilation with FFmpeg 2.9 ++ (Closes: #803834) ++ * Updated symbols file for new C++11 symbols. ++ ++ [ Sebastian Ramacher ] ++ * Migrate to automatic dbg packages. ++ * debian/control: Remove some unnecessary Build-Depends. ++ ++ -- Joachim Bauch Mon, 11 Jan 2016 19:12:19 +0100 ++ ++libde265 (1.0.2-1) unstable; urgency=low ++ ++ * Imported Upstream version 1.0.2 ++ * Added new files to copyright information. ++ * Only export decoder API and update symbols for new version. ++ ++ -- Joachim Bauch Thu, 16 Jul 2015 11:07:46 +0200 ++ ++libde265 (0.9-1) unstable; urgency=low ++ ++ * Updated symbols to make all "std::vector" symbols optional. ++ * Imported Upstream version 0.9 ++ * Removed deprecated patch to update symbols visibility. Changes were ++ applied upstream. ++ * Upstream supports compiling against Qt5, prefer that over Qt4. ++ * Added new symbols from new upstream release. ++ ++ -- Joachim Bauch Tue, 16 Sep 2014 18:47:14 +0200 ++ ++libde265 (0.8-1) unstable; urgency=low ++ ++ * Initial release. (Closes: #744190) ++ ++ -- Joachim Bauch Fri, 08 Aug 2014 17:23:37 +0200 diff --cc debian/compat index 0000000,0000000..f599e28 new file mode 100644 --- /dev/null +++ b/debian/compat @@@ -1,0 -1,0 +1,1 @@@ ++10 diff --cc debian/control index 0000000,0000000..44c614b new file mode 100644 --- /dev/null +++ b/debian/control @@@ -1,0 -1,0 +1,62 @@@ ++Source: libde265 ++Section: libs ++Priority: optional ++Maintainer: Debian Multimedia Maintainers ++Uploaders: ++ Alessio Treglia , ++ Joachim Bauch ++Build-Depends: ++ debhelper (>= 10), ++ libjpeg-dev, ++ libpng-dev, ++ qtbase5-dev | libqt4-dev, ++ libsdl-dev, ++ libswscale-dev, ++ libx11-dev, ++ libxext-dev, ++ libxv-dev, ++ pkg-config ++Standards-Version: 4.1.3 ++Homepage: https://github.com/strukturag/libde265 ++Vcs-Git: https://salsa.debian.org/multimedia-team/libde265.git ++Vcs-Browser: https://salsa.debian.org/multimedia-team/libde265 ++ ++Package: libde265-0 ++Architecture: any ++Multi-Arch: same ++Depends: ++ ${misc:Depends}, ++ ${shlibs:Depends} ++Description: Open H.265 video codec implementation ++ libde265 is an open source implementation of the H.265 video codec. ++ It is written from scratch in plain C for simplicity and efficiency. ++ Its simple API makes it easy to integrate it into other software. ++ ++Package: libde265-dev ++Section: libdevel ++Multi-Arch: same ++Architecture: any ++Depends: ++ libde265-0 (= ${binary:Version}), ++ ${misc:Depends} ++Description: Open H.265 video codec implementation - development files ++ libde265 is an open source implementation of the H.265 video codec. ++ It is written from scratch in plain C for simplicity and efficiency. ++ Its simple API makes it easy to integrate it into other software. ++ . ++ The development headers for compiling programs that use libde265 ++ are provided by this package. ++ ++Package: libde265-examples ++Section: video ++Architecture: any ++Depends: ++ libde265-0 (= ${binary:Version}), ++ ${misc:Depends}, ++ ${shlibs:Depends} ++Description: Open H.265 video codec implementation - examples ++ libde265 is an open source implementation of the H.265 video codec. ++ It is written from scratch in plain C for simplicity and efficiency. ++ Its simple API makes it easy to integrate it into other software. ++ . ++ Sample applications using libde265 are provided by this package. diff --cc debian/copyright index 0000000,0000000..4c87163 new file mode 100644 --- /dev/null +++ b/debian/copyright @@@ -1,0 -1,0 +1,190 @@@ ++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ ++Upstream-Name: libde265 ++Upstream-Contact: struktur AG ++Source: https://github.com/strukturag/libde265 ++ ++Files: * ++Copyright: ++ 2013-2014 struktur AG, Dirk Farin ++ 2013 openHEVC contributors ++License: LGPL-3+ ++ ++Files: dec265/dec265.cc ++ dec265/hdrcopy.cc ++ dec265/sdl.cc ++ dec265/sdl.hh ++ enc265/enc265.cc ++ sherlock265/VideoDecoder.cc ++ sherlock265/VideoDecoder.hh ++ sherlock265/VideoPlayer.cc ++ sherlock265/VideoPlayer.hh ++ sherlock265/VideoWidget.cc ++ sherlock265/VideoWidget.hh ++ sherlock265/sherlock265.cc ++ tools/bjoentegaard.cc ++ tools/block-rate-estim.cc ++ tools/gen-entropy-table.cc ++ tools/rd-curves.cc ++ tools/tests.cc ++ tools/yuv-distortion.cc ++Copyright: ++ 2013-2014 struktur AG, Dirk Farin ++ 2013-2014 struktur AG, Joachim Bauch ++ 1998-2013 Free Software Foundation, Inc ++License: GPL-3+ ++Comment: Please note that only the sample applications are GPL-3+ while ++ the decoding library itself is licensed as LGPL-3+. ++ ++Files: extra/getopt.c ++ extra/getopt.h ++ extra/getopt_long.c ++Copyright: 1987-1996 The Regents of the University of California ++License: BSD-4-clause ++ ++Files: libde265/md5.cc ++ libde265/md5.h ++Copyright: No copyright holder ++License: public-domain-1 ++ This software was written by Alexander Peslyak in 2001. No copyright is ++ claimed, and the software is hereby placed in the public domain. ++ In case this attempt to disclaim copyright and place the software in the ++ public domain is deemed null and void, then the software is ++ Copyright (c) 2001 Alexander Peslyak and it is hereby released to the ++ general public under the following terms: ++ . ++ Redistribution and use in source and binary forms, with or without ++ modification, are permitted. ++ . ++ There's ABSOLUTELY NO WARRANTY, express or implied. ++ . ++ (This is a heavily cut-down "BSD license".) ++ . ++ This differs from Colin Plumb's older public domain implementation in that ++ no exactly 32-bit integer data type is required (any 32-bit or wider ++ unsigned integer data type will do), there's no compile-time endianness ++ configuration, and the function prototypes match OpenSSL's. No code from ++ Colin Plumb's implementation has been reused; this comment merely compares ++ the properties of the two independent implementations. ++ . ++ The primary goals of this implementation are portability and ease of use. ++ It is meant to be fast, but not as fast as possible. Some known ++ optimizations are not included to reduce source code size and avoid ++ compile-time configuration. ++ ++Files: extra/stdint.h ++Copyright: No copyright holder ++License: public-domain-2 ++ ISO C9x 7.18 Integer types ++ Based on ISO/IEC SC22/WG14 9899 Committee draft (SC22 N2794) ++ . ++ THIS SOFTWARE IS NOT COPYRIGHTED ++ . ++ Contributor: Danny Smith ++ . ++ This source code is offered for use in the public domain. You may ++ use, modify or distribute it freely. ++ . ++ This code is distributed in the hope that it will be useful but ++ WITHOUT ANY WARRANTY. ALL WARRANTIES, EXPRESS OR IMPLIED ARE HEREBY ++ DISCLAIMED. This includes but is not limited to warranties of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ++ . ++ Date: 2000-12-02 ++ ++Files: extra/win32cond.c ++ extra/win32cond.h ++Copyright: ++ 1993-2009 Douglas C. Schmidt and his research group at ++ Washington University, University of California, Irvine, and ++ Vanderbilt University ++License: other-1 ++ ACE(TM), TAO(TM), CIAO(TM), DAnCE>(TM), and CoSMIC(TM) (henceforth ++ referred to as "DOC software") are copyrighted by Douglas C. Schmidt ++ and his research group at Washington University, University of California, ++ Irvine, and Vanderbilt University, Copyright (c) 1993-2009, all rights ++ reserved. ++ . ++ Since DOC software is open-source, freely available software, you are free ++ to use, modify, copy, and distribute--perpetually and irrevocably--the DOC ++ software source code and object code produced from the source, as well as ++ copy and distribute modified versions of this software. You must, however, ++ include this copyright statement along with any code built using DOC ++ software that you release. ++ . ++ No copyright statement needs to be provided if you just ship binary ++ executables of your software products. ++ . ++ See "Strategies for Implementing POSIX Condition Variables on Win32" at ++ http://www.cs.wustl.edu/~schmidt/win32-cv-1.html ++ ++Files: debian/* ++Copyright: ++ 2014 Joachim Bauch ++ 2014 Alessio Treglia ++License: LGPL-3+ ++ ++License: GPL-3+ ++ This program is free software: you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation, either version 3 of the License, or ++ (at your option) any later version. ++ . ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ . ++ On Debian systems the complete text of the GNU General Public License ++ can be found in the `/usr/share/common-licenses/GPL-3' file. ++ . ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++ ++License: LGPL-3+ ++ This program is free software: you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation, either version 3 of the License, or ++ (at your option) any later version. ++ . ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ . ++ On Debian systems the complete text of the GNU Lesser General Public ++ License can be found in the `/usr/share/common-licenses/LGPL-3' file. ++ . ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see . ++ ++License: BSD-4-clause ++ Copyright (c) 1987, 1993, 1994 ++ The Regents of the University of California. All rights reserved. ++ . ++ Redistribution and use in source and binary forms, with or without ++ modification, are permitted provided that the following conditions ++ are met: ++ 1. Redistributions of source code must retain the above copyright ++ notice, this list of conditions and the following disclaimer. ++ 2. Redistributions in binary form must reproduce the above copyright ++ notice, this list of conditions and the following disclaimer in the ++ documentation and/or other materials provided with the distribution. ++ 3. All advertising materials mentioning features or use of this software ++ must display the following acknowledgement: ++ This product includes software developed by the University of ++ California, Berkeley and its contributors. ++ 4. Neither the name of the University nor the names of its contributors ++ may be used to endorse or promote products derived from this software ++ without specific prior written permission. ++ . ++ THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ++ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE ++ FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ SUCH DAMAGE. diff --cc debian/libde265-0.install index 0000000,0000000..3de3b10 new file mode 100644 --- /dev/null +++ b/debian/libde265-0.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/lib/*/*.so.* diff --cc debian/libde265-0.symbols index 0000000,0000000..a40c8ab new file mode 100644 --- /dev/null +++ b/debian/libde265-0.symbols @@@ -1,0 -1,0 +1,72 @@@ ++libde265.so.0 libde265-0 #MINVER# ++ (optional|c++|regex)"^std::_Sp_counted_base<.*@Base$" 1.0.2 ++ (optional|c++|regex)"^std::_Sp_counted_ptr<.*@Base$" 1.0.3 ++ (optional|c++|regex)"^std::__cxx11::basic_string<.*@Base$" 1.0.2 ++ (optional|c++|regex)"^std::__cxx11::basic_stringbuf<.*@Base$" 1.0.2 ++ (optional|c++|regex)"^std::vector<.*@Base$" 1.0.2 ++ (optional|c++|regex)"^typeinfo for std::.*@Base$" 1.0.2 ++ (optional|c++|regex)"^typeinfo name for std::.*@Base$" 1.0.2 ++ (optional|c++|regex)"^void std::vector<.*@Base$" 1.0.2 ++ (optional=only used internally by dec265|c++)"MSE(unsigned char const*, int, unsigned char const*, int, int, int)@Base" 1.0.2 ++ (optional=only used internally by dec265|c++)"PSNR(double)@Base" 1.0.2 ++ (optional=only used by the non-final encoder api)de265_alloc_image_plane@Base 1.0.2 ++ de265_change_framerate@Base 0.8 ++ de265_decode@Base 0.8 ++ de265_decode_data@Base 0.8 ++ de265_disable_logging@Base 0.8 ++ de265_flush_data@Base 0.8 ++ de265_free@Base 0.8 ++ de265_free_decoder@Base 0.8 ++ (optional=only used by the non-final encoder api)de265_free_image_plane@Base 1.0.2 ++ de265_get_bits_per_pixel@Base 1.0.2 ++ de265_get_chroma_format@Base 0.8 ++ de265_get_current_TID@Base 0.8 ++ de265_get_default_image_allocation_functions@Base 0.8 ++ de265_get_error_text@Base 0.8 ++ de265_get_highest_TID@Base 0.8 ++ de265_get_image_NAL_header@Base 0.8 ++ de265_get_image_PTS@Base 0.8 ++ de265_get_image_height@Base 0.8 ++ de265_get_image_plane@Base 0.8 ++ de265_get_image_plane_user_data@Base 0.8 ++ de265_get_image_user_data@Base 0.8 ++ de265_get_image_width@Base 0.8 ++ de265_get_next_picture@Base 0.8 ++ de265_get_number_of_NAL_units_pending@Base 0.8 ++ de265_get_number_of_input_bytes_pending@Base 0.8 ++ de265_get_parameter_bool@Base 0.8 ++ de265_get_version@Base 0.8 ++ de265_get_version_number@Base 0.8 ++ de265_get_version_number_maintenance@Base 1.0.2 ++ de265_get_version_number_major@Base 1.0.2 ++ de265_get_version_number_minor@Base 1.0.2 ++ de265_get_warning@Base 0.8 ++ de265_init@Base 0.8 ++ de265_isOK@Base 0.8 ++ de265_new_decoder@Base 0.8 ++ de265_peek_next_picture@Base 0.8 ++ de265_push_NAL@Base 0.8 ++ de265_push_data@Base 0.8 ++ de265_push_end_of_NAL@Base 0.8 ++ de265_push_end_of_frame@Base 0.9 ++ de265_release_next_picture@Base 0.8 ++ de265_reset@Base 0.8 ++ de265_set_framerate_ratio@Base 0.8 ++ de265_set_image_allocation_functions@Base 0.8 ++ de265_set_image_plane@Base 0.8 ++ de265_set_image_user_data@Base 0.9 ++ de265_set_limit_TID@Base 0.8 ++ de265_set_parameter_bool@Base 0.8 ++ de265_set_parameter_int@Base 0.8 ++ de265_set_verbosity@Base 0.8 ++ de265_start_worker_threads@Base 0.8 ++ (optional=only used internally by sherlock265)draw_CB_grid@Base 0.8 ++ (optional=only used internally by sherlock265)draw_Motion@Base 0.8 ++ (optional=only used internally by sherlock265)draw_PB_grid@Base 0.8 ++ (optional=only used internally by sherlock265)draw_PB_pred_modes@Base 0.8 ++ (optional=only used internally by sherlock265)draw_QuantPY@Base 0.8 ++ (optional=only used internally by sherlock265)draw_Slices@Base 0.8 ++ (optional=only used internally by sherlock265)draw_TB_grid@Base 0.8 ++ (optional=only used internally by sherlock265)draw_Tiles@Base 0.8 ++ (optional=only used internally by sherlock265)draw_intra_pred_modes@Base 0.8 ++ (optional=only used by the non-final encoder api|regex)en265_.*@Base 1.0.2 diff --cc debian/libde265-dev.docs index 0000000,0000000..b43bf86 new file mode 100644 --- /dev/null +++ b/debian/libde265-dev.docs @@@ -1,0 -1,0 +1,1 @@@ ++README.md diff --cc debian/libde265-dev.install index 0000000,0000000..60fe5cb new file mode 100644 --- /dev/null +++ b/debian/libde265-dev.install @@@ -1,0 -1,0 +1,3 @@@ ++usr/include/* ++usr/lib/*/*.so ++usr/lib/*/pkgconfig/* diff --cc debian/libde265-examples.install index 0000000,0000000..1df36c6 new file mode 100644 --- /dev/null +++ b/debian/libde265-examples.install @@@ -1,0 -1,0 +1,1 @@@ ++usr/bin/* diff --cc debian/patches/CVE-2020-21596-global-buffer-overflow.patch index 0000000,0000000..c5daf9c new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2020-21596-global-buffer-overflow.patch @@@ -1,0 -1,0 +1,24 @@@ ++Description: Fix CVE-2020-21596 global buffer overflow in decode_CABAC_bit when decoding file ++Origin: https://github.com/strukturag/libde265/commit/6751f4e3c8c7af63d0036fedd506b7932630773c ++From 6751f4e3c8c7af63d0036fedd506b7932630773c Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Tue, 24 Jan 2023 19:01:42 +0100 ++Subject: [PATCH] initialize newly created CABAC model table when (fixes #236) ++ ++--- ++ libde265/contextmodel.cc | 2 ++ ++ 1 file changed, 2 insertions(+) ++ ++diff --git a/libde265/contextmodel.cc b/libde265/contextmodel.cc ++index ec432281d..7244471f9 100644 ++--- a/libde265/contextmodel.cc +++++ b/libde265/contextmodel.cc ++@@ -181,6 +181,8 @@ void context_model_table::decouple_or_alloc_with_empty_data() ++ if (D) printf("%p (alloc)\n",this); ++ ++ model = new context_model[CONTEXT_MODEL_TABLE_LENGTH]; +++ // Without initializing the model, we got an invalid model state during decoding (issue #236) +++ memset(model, 0, sizeof(context_model) * CONTEXT_MODEL_TABLE_LENGTH); ++ refcnt= new int; ++ *refcnt=1; ++ } diff --cc debian/patches/CVE-2020-21599.patch index 0000000,0000000..79ff5b9 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2020-21599.patch @@@ -1,0 -1,0 +1,56 @@@ ++Description: Patch for CVE-2020-21599 ++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014999 (one of the many CVEs of this bug) ++From a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Tue, 23 Feb 2021 15:11:09 +0100 ++Subject: [PATCH] return error when PCM bits parameter exceeds pixel depth ++ (#225) ++ ++--- ++ libde265/de265.cc | 2 ++ ++ libde265/de265.h | 3 ++- ++ libde265/sps.cc | 10 ++++++++++ ++ 3 files changed, 14 insertions(+), 1 deletion(-) ++ ++--- a/libde265/de265.cc +++++ b/libde265/de265.cc ++@@ -156,6 +156,8 @@ ++ return "SPS header missing, cannot decode SEI"; ++ case DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA: ++ return "collocated motion-vector is outside image area"; +++ case DE265_WARNING_PCM_BITDEPTH_TOO_LARGE: +++ return "PCM bit-depth too large"; ++ ++ default: return "unknown error"; ++ } ++--- a/libde265/de265.h +++++ b/libde265/de265.h ++@@ -135,7 +135,8 @@ ++ DE265_NON_EXISTING_LT_REFERENCE_CANDIDATE_IN_SLICE_HEADER=1023, ++ DE265_WARNING_CANNOT_APPLY_SAO_OUT_OF_MEMORY=1024, ++ DE265_WARNING_SPS_MISSING_CANNOT_DECODE_SEI=1025, ++- DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026 +++ DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026, +++ DE265_WARNING_PCM_BITDEPTH_TOO_LARGE=1027 ++ } de265_error; ++ ++ LIBDE265_API const char* de265_get_error_text(de265_error err); ++--- a/libde265/sps.cc +++++ b/libde265/sps.cc ++@@ -360,6 +360,16 @@ ++ READ_VLC_OFFSET(log2_min_pcm_luma_coding_block_size, uvlc, 3); ++ READ_VLC(log2_diff_max_min_pcm_luma_coding_block_size, uvlc); ++ pcm_loop_filter_disable_flag = get_bits(br,1); +++ +++ if (pcm_sample_bit_depth_luma > bit_depth_luma) { +++ errqueue->add_warning(DE265_WARNING_PCM_BITDEPTH_TOO_LARGE, false); +++ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE; +++ } +++ +++ if (pcm_sample_bit_depth_chroma > bit_depth_chroma) { +++ errqueue->add_warning(DE265_WARNING_PCM_BITDEPTH_TOO_LARGE, false); +++ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE; +++ } ++ } ++ else { ++ pcm_sample_bit_depth_luma = 0; diff --cc debian/patches/CVE-2021-35452.patch index 0000000,0000000..da29f68 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2021-35452.patch @@@ -1,0 -1,0 +1,24 @@@ ++Description: Fix for CVE 2021-35452 ++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977 ++From e83f3798dd904aa579425c53020c67e03735138d Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Tue, 5 Apr 2022 19:35:46 +0200 ++Subject: [PATCH] fix check for valid PPS idx (#298) ++ ++--- ++ libde265/slice.cc | 2 +- ++ 1 file changed, 1 insertion(+), 1 deletion(-) ++ ++diff --git a/libde265/slice.cc b/libde265/slice.cc ++index cca4d332..aacde0ce 100644 ++--- a/libde265/slice.cc +++++ b/libde265/slice.cc ++@@ -373,7 +373,7 @@ de265_error slice_segment_header::read(bitreader* br, decoder_context* ctx, ++ } ++ ++ slice_pic_parameter_set_id = get_uvlc(br); ++- if (slice_pic_parameter_set_id > DE265_MAX_PPS_SETS || +++ if (slice_pic_parameter_set_id >= DE265_MAX_PPS_SETS || ++ slice_pic_parameter_set_id == UVLC_ERROR) { ++ ctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false); ++ return DE265_OK; diff --cc debian/patches/CVE-2021-36408.patch index 0000000,0000000..e04f444 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2021-36408.patch @@@ -1,0 -1,0 +1,32 @@@ ++Description: Fix for CVE-2021-36408 ++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977 ++From f538254e4658ef5ea4e233c2185dcbfd165e8911 Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Tue, 5 Apr 2022 18:41:28 +0200 ++Subject: [PATCH] fix streams where SPS image size changes without refreshing ++ PPS (#299) ++ ++--- ++ libde265/decctx.cc | 9 +++++++++ ++ 1 file changed, 9 insertions(+) ++ ++diff --git a/libde265/decctx.cc b/libde265/decctx.cc ++index edebb7136..6701725fb 100644 ++--- a/libde265/decctx.cc +++++ b/libde265/decctx.cc ++@@ -562,6 +562,15 @@ de265_error decoder_context::read_sps_NAL(bitreader& reader) ++ ++ sps[ new_sps->seq_parameter_set_id ] = new_sps; ++ +++ // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to +++ // get the SPS and PPS parameters (e.g. image size) out of sync. +++ +++ for (auto& p : pps) { +++ if (p && p->seq_parameter_set_id == new_sps->seq_parameter_set_id) { +++ p = nullptr; +++ } +++ } +++ ++ return DE265_OK; ++ } ++ diff --cc debian/patches/CVE-2021-36409.patch index 0000000,0000000..0134475 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2021-36409.patch @@@ -1,0 -1,0 +1,58 @@@ ++Description: Fix for CVE-2021-36409 ++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977 ++From 64d591a6c70737604ca3f5791736fc462cbe8a3c Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Tue, 5 Apr 2022 17:53:43 +0200 ++Subject: [PATCH] fix assertion when reading invalid scaling_list (#300) ++ ++--- ++ libde265/sps.cc | 15 +++++++++------ ++ 1 file changed, 9 insertions(+), 6 deletions(-) ++ ++--- a/libde265/sps.cc +++++ b/libde265/sps.cc ++@@ -881,19 +881,23 @@ ++ int n = ((sizeId==3) ? 2 : 6); ++ uint8_t scaling_list[6][32*32]; ++ +++ // Note: we use a different matrixId for the second matrix of size 3 (we use '3' instead of '1'). ++ for (int matrixId=0;matrixId matrixId) { ++ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE; ++@@ -909,15 +913,14 @@ ++ memcpy(curr_scaling_list, default_ScalingList_4x4, 16); ++ } ++ else { ++- if (canonicalMatrixId<3) +++ if (matrixId<3) ++ { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); } ++ else ++ { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); } ++ } ++ } ++ else { ++- // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ? ++- if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); } +++ if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==3); } ++ ++ int mID = matrixId - scaling_list_pred_matrix_id_delta; ++ diff --cc debian/patches/CVE-2021-36410.patch index 0000000,0000000..b93592c new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2021-36410.patch @@@ -1,0 -1,0 +1,22 @@@ ++Description: CVE-2021-36410 ++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977 ++From 697aa4f7c774abd6374596e6707a6f4f54265355 Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Tue, 5 Apr 2022 19:27:04 +0200 ++Subject: [PATCH] fix MC with HDR chroma, but SDR luma (#301) ++ ++--- ++ libde265/motion.cc | 2 +- ++ 1 file changed, 1 insertion(+), 1 deletion(-) ++ ++--- a/libde265/motion.cc +++++ b/libde265/motion.cc ++@@ -377,7 +377,7 @@ ++ refPic->get_luma_stride(), nPbW,nPbH, bit_depth_L); ++ } ++ ++- if (img->high_bit_depth(0)) { +++ if (img->high_bit_depth(1)) { ++ mc_chroma(ctx, sps, vi->mv[l].x, vi->mv[l].y, xP,yP, ++ predSamplesC[0][l],nCS, (const uint16_t*)refPic->get_image_plane(1), ++ refPic->get_chroma_stride(), nPbW/SubWidthC,nPbH/SubHeightC, bit_depth_C); diff --cc debian/patches/CVE-2021-36411.patch index 0000000,0000000..a53ce24 new file mode 100644 --- /dev/null +++ b/debian/patches/CVE-2021-36411.patch @@@ -1,0 -1,0 +1,163 @@@ ++Description: CVE-2021-36411 ++Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014977 ++From 45904e5667c5bf59c67fcdc586dfba110832894c Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Tue, 5 Apr 2022 20:00:20 +0200 ++Subject: [PATCH] fix reading invalid images where shdr references are NULL in ++ part of the image (#302) ++ ++--- ++ libde265/deblock.cc | 127 +++++++++++++++++++++++--------------------- ++ libde265/sao.cc | 5 +- ++ 2 files changed, 70 insertions(+), 62 deletions(-) ++ ++--- a/libde265/deblock.cc +++++ b/libde265/deblock.cc ++@@ -295,67 +295,72 @@ ++ slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp); ++ slice_segment_header* shdrQ = img->get_SliceHeader(xDi ,yDi); ++ ++- int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1; ++- int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1; ++- int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1; ++- int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1; ++- ++- bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) || ++- (refPicP0==refPicQ1 && refPicP1==refPicQ0)); ++- ++- if (!samePics) { ++- bS = 1; ++- } ++- else { ++- MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; } ++- MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; } ++- MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; } ++- MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; } ++- ++- int numMV_P = mviP.predFlag[0] + mviP.predFlag[1]; ++- int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1]; ++- ++- if (numMV_P!=numMV_Q) { ++- img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false); ++- img->integrity = INTEGRITY_DECODING_ERRORS; ++- } ++- ++- // two different reference pictures or only one reference picture ++- if (refPicP0 != refPicP1) { ++- ++- if (refPicP0 == refPicQ0) { ++- if (abs_value(mvP0.x-mvQ0.x) >= 4 || ++- abs_value(mvP0.y-mvQ0.y) >= 4 || ++- abs_value(mvP1.x-mvQ1.x) >= 4 || ++- abs_value(mvP1.y-mvQ1.y) >= 4) { ++- bS = 1; ++- } ++- } ++- else { ++- if (abs_value(mvP0.x-mvQ1.x) >= 4 || ++- abs_value(mvP0.y-mvQ1.y) >= 4 || ++- abs_value(mvP1.x-mvQ0.x) >= 4 || ++- abs_value(mvP1.y-mvQ0.y) >= 4) { ++- bS = 1; ++- } ++- } ++- } ++- else { ++- assert(refPicQ0==refPicQ1); ++- ++- if ((abs_value(mvP0.x-mvQ0.x) >= 4 || ++- abs_value(mvP0.y-mvQ0.y) >= 4 || ++- abs_value(mvP1.x-mvQ1.x) >= 4 || ++- abs_value(mvP1.y-mvQ1.y) >= 4) ++- && ++- (abs_value(mvP0.x-mvQ1.x) >= 4 || ++- abs_value(mvP0.y-mvQ1.y) >= 4 || ++- abs_value(mvP1.x-mvQ0.x) >= 4 || ++- abs_value(mvP1.y-mvQ0.y) >= 4)) { ++- bS = 1; ++- } ++- } ++- } +++ if (shdrP && shdrQ) { +++ int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1; +++ int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1; +++ int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1; +++ int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1; +++ +++ bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) || +++ (refPicP0==refPicQ1 && refPicP1==refPicQ0)); +++ +++ if (!samePics) { +++ bS = 1; +++ } +++ else { +++ MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; } +++ MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; } +++ MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; } +++ MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; } +++ +++ int numMV_P = mviP.predFlag[0] + mviP.predFlag[1]; +++ int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1]; +++ +++ if (numMV_P!=numMV_Q) { +++ img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false); +++ img->integrity = INTEGRITY_DECODING_ERRORS; +++ } +++ +++ // two different reference pictures or only one reference picture +++ if (refPicP0 != refPicP1) { +++ +++ if (refPicP0 == refPicQ0) { +++ if (abs_value(mvP0.x-mvQ0.x) >= 4 || +++ abs_value(mvP0.y-mvQ0.y) >= 4 || +++ abs_value(mvP1.x-mvQ1.x) >= 4 || +++ abs_value(mvP1.y-mvQ1.y) >= 4) { +++ bS = 1; +++ } +++ } +++ else { +++ if (abs_value(mvP0.x-mvQ1.x) >= 4 || +++ abs_value(mvP0.y-mvQ1.y) >= 4 || +++ abs_value(mvP1.x-mvQ0.x) >= 4 || +++ abs_value(mvP1.y-mvQ0.y) >= 4) { +++ bS = 1; +++ } +++ } +++ } +++ else { +++ assert(refPicQ0==refPicQ1); +++ +++ if ((abs_value(mvP0.x-mvQ0.x) >= 4 || +++ abs_value(mvP0.y-mvQ0.y) >= 4 || +++ abs_value(mvP1.x-mvQ1.x) >= 4 || +++ abs_value(mvP1.y-mvQ1.y) >= 4) +++ && +++ (abs_value(mvP0.x-mvQ1.x) >= 4 || +++ abs_value(mvP0.y-mvQ1.y) >= 4 || +++ abs_value(mvP1.x-mvQ0.x) >= 4 || +++ abs_value(mvP1.y-mvQ0.y) >= 4)) { +++ bS = 1; +++ } +++ } +++ } +++ } +++ else { +++ bS = 0; // if shdrP==NULL or shdrQ==NULL +++ } ++ ++ /* ++ printf("unimplemented deblocking code for CU at %d;%d\n",xDi,yDi); ++--- a/libde265/sao.cc +++++ b/libde265/sao.cc ++@@ -347,7 +347,10 @@ ++ for (int xCtb=0; xCtbget_SliceHeaderCtb(xCtb,yCtb); ++- if (shdr==NULL) { return; } +++ if (shdr==NULL) { +++ delete[] inputCopy; +++ return; +++ } ++ ++ if (cIdx==0 && shdr->slice_sao_luma_flag) { ++ apply_sao(img, xCtb,yCtb, shdr, 0, 1< ++Date: Tue, 24 Jan 2023 16:53:06 +0100 ++Subject: [PATCH] SAO: fix illegal table access when input pixel is out of ++ range (fixes #351) ++ ++--- ++ libde265/sao.cc | 9 ++++++++- ++ 1 file changed, 8 insertions(+), 1 deletion(-) ++ ++--- a/libde265/sao.cc +++++ b/libde265/sao.cc ++@@ -211,11 +211,21 @@ ++ continue; ++ } ++ ++- int bandIdx = bandTable[ in_img[xC+i+(yC+j)*in_stride]>>bandShift ]; ++- ++ // Shifts are a strange thing. On x86, >>x actually computes >>(x%64). ++ // So we have to take care of large bandShifts. ++- if (bandShift>=8) { bandIdx=0; } +++ int bandIdx; +++ if (bandShift >= 8) { +++ bandIdx = 0; +++ } else { +++ int pixel = in_img[xC+i+(yC+j)*in_stride]; +++ +++ // Note: the input pixel value should never exceed the valid range, but it seems that it still does, +++ // maybe when there was a decoding error and the pixels have not been filled in correctly. +++ // Thus, we have to limit the pixel range to ensure that we have no illegal table access. +++ pixel = Clip3(0,maxPixelValue, pixel); +++ +++ bandIdx = bandTable[ pixel>>bandShift ]; +++ } ++ ++ if (bandIdx>0) { ++ int offset = saoinfo->saoOffsetVal[cIdx][bandIdx-1]; ++@@ -237,10 +247,13 @@ ++ for (int j=0;j>bandShift ]; ++- ++ // see above ++- if (bandShift>=8) { bandIdx=0; } +++ int bandIdx; +++ if (bandShift >= 8) { +++ bandIdx = 0; +++ } else { +++ bandIdx = bandTable[ in_img[xC+i+(yC+j)*in_stride]>>bandShift ]; +++ } ++ ++ if (bandIdx>0) { ++ int offset = saoinfo->saoOffsetVal[cIdx][bandIdx-1]; diff --cc debian/patches/check-4-negative-Q-value.patch index 0000000,0000000..0f60895 new file mode 100644 --- /dev/null +++ b/debian/patches/check-4-negative-Q-value.patch @@@ -1,0 -1,0 +1,41 @@@ ++Description: check for negative Q-values in invalid input streams ++ This fixes some global buffer overflows in scale_coefficients_internal() ++Origin: https://github.com/strukturag/libde265/commit/282da73366f251edddc40f3908acb313ab5cd420 ++From 282da73366f251edddc40f3908acb313ab5cd420 Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Mon, 16 Jul 2018 10:57:50 +0200 ++Subject: [PATCH] check for negative Q-values in invalid input streams ++ ++--- ++ libde265/transform.cc | 10 ++++++++++ ++ 1 file changed, 10 insertions(+) ++ ++diff --git a/libde265/transform.cc b/libde265/transform.cc ++index a844de20a..ef404f8e5 100644 ++--- a/libde265/transform.cc +++++ b/libde265/transform.cc ++@@ -147,6 +147,9 @@ void decode_quantization_parameters(thread_context* tctx, int xC,int yC, ++ (52 + sps.QpBdOffset_Y)) - sps.QpBdOffset_Y; ++ ++ tctx->qPYPrime = QPY + sps.QpBdOffset_Y; +++ if (tctx->qPYPrime<0) { +++ tctx->qPYPrime=0; +++ } ++ ++ int qPiCb = Clip3(-sps.QpBdOffset_C,57, QPY+pps.pic_cb_qp_offset + shdr->slice_cb_qp_offset + tctx->CuQpOffsetCb); ++ int qPiCr = Clip3(-sps.QpBdOffset_C,57, QPY+pps.pic_cr_qp_offset + shdr->slice_cr_qp_offset + tctx->CuQpOffsetCr); ++@@ -169,7 +172,14 @@ void decode_quantization_parameters(thread_context* tctx, int xC,int yC, ++ //printf("q: %d %d\n",qPiCb, qPCb); ++ ++ tctx->qPCbPrime = qPCb + sps.QpBdOffset_C; +++ if (tctx->qPCbPrime<0) { +++ tctx->qPCbPrime = 0; +++ } +++ ++ tctx->qPCrPrime = qPCr + sps.QpBdOffset_C; +++ if (tctx->qPCrPrime<0) { +++ tctx->qPCrPrime = 0; +++ } ++ ++ /* ++ printf("Q: %d (%d %d %d / %d %d) %d %d %d\n",QPY, diff --cc debian/patches/disable_tools.patch index 0000000,0000000..d910591 new file mode 100644 --- /dev/null +++ b/debian/patches/disable_tools.patch @@@ -1,0 -1,0 +1,38 @@@ ++Description: Disable building of some internal tools that no longer link ++ because internal symbols are not exported. ++Author: Joachim Bauch ++--- a/Makefile.am +++++ b/Makefile.am ++@@ -8,10 +8,6 @@ ++ SUBDIRS+=dec265 ++ endif ++ ++-SUBDIRS+=enc265 ++-SUBDIRS+=tools ++-SUBDIRS+=acceleration-speed ++- ++ if ENABLE_SHERLOCK265 ++ SUBDIRS+=sherlock265 ++ endif ++--- a/dec265/Makefile.am +++++ b/dec265/Makefile.am ++@@ -1,5 +1,5 @@ ++ ++-bin_PROGRAMS = dec265 hdrcopy +++bin_PROGRAMS = dec265 ++ ++ AM_CPPFLAGS = -I../libde265 ++ ++@@ -9,12 +9,6 @@ ++ dec265_LDADD = ../libde265/libde265.la -lstdc++ ++ dec265_SOURCES = dec265.cc ++ ++-hdrcopy_DEPENDENCIES = ../libde265/libde265.la ++-hdrcopy_CXXFLAGS = ++-hdrcopy_LDFLAGS = ++-hdrcopy_LDADD = ../libde265/libde265.la -lstdc++ ++-hdrcopy_SOURCES = hdrcopy.cc ++- ++ if HAVE_VIDEOGFX ++ dec265_CXXFLAGS += $(VIDEOGFX_CFLAGS) ++ dec265_LDFLAGS += $(VIDEOGFX_LIBS) diff --cc debian/patches/ffmpeg_2.9.patch index 0000000,0000000..aae8e54 new file mode 100644 --- /dev/null +++ b/debian/patches/ffmpeg_2.9.patch @@@ -1,0 -1,0 +1,15 @@@ ++Description: Replace deprecated FFmpeg API ++Author: Andreas Cadhalpun ++Last-Update: <2015-11-02> ++ ++--- a/sherlock265/VideoDecoder.cc +++++ b/sherlock265/VideoDecoder.cc ++@@ -237,7 +237,7 @@ ++ } ++ width = img->get_width(); ++ height = img->get_height(); ++- sws = sws_getContext(width, height, PIX_FMT_YUV420P, width, height, PIX_FMT_BGRA, SWS_FAST_BILINEAR, NULL, NULL, NULL); +++ sws = sws_getContext(width, height, AV_PIX_FMT_YUV420P, width, height, AV_PIX_FMT_BGRA, SWS_FAST_BILINEAR, NULL, NULL, NULL); ++ } ++ ++ int stride[3]; diff --cc debian/patches/fix-invalid-memory-access.patch index 0000000,0000000..e8b13af new file mode 100644 --- /dev/null +++ b/debian/patches/fix-invalid-memory-access.patch @@@ -1,0 -1,0 +1,32 @@@ ++Description: fix invalid memory access after unavailable reference frame insertion ++ Needed to avoid asan errors for the version at hand, otherwise the crash even ++ happens before the pocs triggers. ++Origin: https://github.com/strukturag/libde265/commit/ee8e09a7f6f65b7c409c7801ad64918a2925ed9b ++Reviewed-by: Tobias Frost ++Last-Update: 2023-01-24 ++--- ++This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ++--- a/libde265/decctx.cc +++++ b/libde265/decctx.cc ++@@ -1648,9 +1648,8 @@ ++ PocStCurrBefore[i], false); ++ RefPicSetStCurrBefore[i] = k = concealedPicture; ++ ++- if (concealedPicture < picInAnyList.size()) { ++- picInAnyList[concealedPicture] = true; ++- } +++ picInAnyList.resize(dpb.size(), false); // adjust size of array to hold new picture +++ picInAnyList[concealedPicture] = true; ++ ++ //printf(" concealed: %d\n", concealedPicture); ++ } ++@@ -1671,6 +1670,9 @@ ++ int concealedPicture = generate_unavailable_reference_picture(current_sps.get(), ++ PocStCurrAfter[i], false); ++ RefPicSetStCurrAfter[i] = k = concealedPicture; +++ +++ +++ picInAnyList.resize(dpb.size(), false); // adjust size of array to hold new picture ++ picInAnyList[concealedPicture]=true; ++ ++ //printf(" concealed: %d\n", concealedPicture); diff --cc debian/patches/fix-use-after-free.patch index 0000000,0000000..0c16eb9 new file mode 100644 --- /dev/null +++ b/debian/patches/fix-use-after-free.patch @@@ -1,0 -1,0 +1,89 @@@ ++Descriptions: Fix several use after free problems ++ by cherry picking upstream commit. ++Origin: https://github.com/strukturag/libde265/commit/e6a0fea0070014d21b6ca229de195b093ff8e3ad ++From e6a0fea0070014d21b6ca229de195b093ff8e3ad Mon Sep 17 00:00:00 2001 ++From: Dirk Farin ++Date: Fri, 4 May 2018 16:30:37 +0200 ++Subject: [PATCH] reference PPS from slice by shared_ptr to prevent usage after ++ deallocation ++ ++--- ++ libde265/decctx.h | 1 + ++ libde265/encoder/encoder-context.cc | 2 +- ++ libde265/motion.cc | 2 +- ++ libde265/slice.cc | 4 ++-- ++ libde265/slice.h | 3 ++- ++ 5 files changed, 7 insertions(+), 5 deletions(-) ++ ++--- a/libde265/decctx.h +++++ b/libde265/decctx.h ++@@ -306,6 +306,8 @@ ++ /* */ pic_parameter_set* get_pps(int id) { return pps[id].get(); } ++ const pic_parameter_set* get_pps(int id) const { return pps[id].get(); } ++ +++ std::shared_ptr get_shared_pps(int id) { return pps[id]; } +++ ++ /* ++ const slice_segment_header* get_SliceHeader_atCtb(int ctb) { ++ return img->slices[img->get_SliceHeaderIndex_atIndex(ctb)]; ++--- a/libde265/encoder/encoder-context.cc +++++ b/libde265/encoder/encoder-context.cc ++@@ -267,7 +267,7 @@ ++ imgdata->shdr.slice_loop_filter_across_slices_enabled_flag = false; ++ imgdata->shdr.compute_derived_values(pps.get()); ++ ++- imgdata->shdr.pps = &get_pps(); +++ imgdata->shdr.pps = pps; ++ ++ //shdr.slice_pic_order_cnt_lsb = poc & 0xFF; ++ ++--- a/libde265/motion.cc +++++ b/libde265/motion.cc ++@@ -290,7 +290,7 @@ ++ void* pixels[3]; ++ int stride[3]; ++ ++- const pic_parameter_set* pps = shdr->pps; +++ const pic_parameter_set* pps = shdr->pps.get(); ++ const seq_parameter_set* sps = &img->get_sps(); ++ ++ const int SubWidthC = sps->SubWidthC; ++--- a/libde265/slice.cc +++++ b/libde265/slice.cc ++@@ -384,7 +384,7 @@ ++ return DE265_OK; ++ } ++ ++- pps = ctx->get_pps(slice_pic_parameter_set_id); +++ pps = ctx->get_shared_pps(slice_pic_parameter_set_id); ++ ++ const seq_parameter_set* sps = pps->sps; ++ if (!sps->sps_read) { ++@@ -872,7 +872,7 @@ ++ } ++ ++ ++- compute_derived_values(pps); +++ compute_derived_values(pps.get()); ++ ++ *continueDecoding = true; ++ return DE265_OK; ++--- a/libde265/slice.h +++++ b/libde265/slice.h ++@@ -33,6 +33,7 @@ ++ ++ #include ++ #include +++#include ++ ++ #define MAX_NUM_REF_PICS 16 ++ ++@@ -145,7 +146,7 @@ ++ ++ ++ int slice_index; // index through all slices in a picture (internal only) ++- const pic_parameter_set* pps; +++ std::shared_ptr pps; ++ ++ ++ char first_slice_segment_in_pic_flag; diff --cc debian/patches/only_export_decoder_api.patch index 0000000,0000000..aedc5a2 new file mode 100644 --- /dev/null +++ b/debian/patches/only_export_decoder_api.patch @@@ -1,0 -1,0 +1,285 @@@ ++Description: Only export symbols defined in the decoder API. ++ The encoder API is not final yet, so upstream exports all symbols to make ++ development easier. For packaging we only want to expose the public API. ++Author: Joachim Bauch ++--- a/libde265/encoder/Makefile.am +++++ b/libde265/encoder/Makefile.am ++@@ -10,6 +10,18 @@ ++ encpicbuf.h encpicbuf.cc \ ++ sop.h sop.cc ++ +++libde265_encoder_la_CFLAGS = \ +++ $(CFLAG_VISIBILITY) \ +++ -DLIBDE265_EXPORTS +++libde265_encoder_la_CXXFLAGS += \ +++ $(CFLAG_VISIBILITY) \ +++ -DLIBDE265_EXPORTS +++ +++if HAVE_VISIBILITY +++ libde265_encoder_la_CFLAGS += -DHAVE_VISIBILITY +++ libde265_encoder_la_CXXFLAGS += -DHAVE_VISIBILITY +++endif +++ ++ SUBDIRS=algo ++ libde265_encoder_la_LIBADD = algo/libde265_encoder_algo.la ++ ++--- a/libde265/encoder/algo/Makefile.am +++++ b/libde265/encoder/algo/Makefile.am ++@@ -17,5 +17,13 @@ ++ tb-rateestim.h tb-rateestim.cc \ ++ pb-mv.h pb-mv.cc ++ +++libde265_encoder_algo_la_CXXFLAGS += \ +++ $(CFLAG_VISIBILITY) \ +++ -DLIBDE265_EXPORTS +++ +++if HAVE_VISIBILITY +++ libde265_encoder_algo_la_CXXFLAGS += -DHAVE_VISIBILITY +++endif +++ ++ EXTRA_DIST = \ ++ CMakeLists.txt ++--- a/configure.ac +++++ b/configure.ac ++@@ -50,9 +50,7 @@ ++ fi ++ changequote([,])dnl ++ ++-dnl gl_VISIBILITY ++-dnl : In encoder branch, we still export all library symbols : ++-HAVE_VISIBILITY=0 +++gl_VISIBILITY ++ AM_CONDITIONAL([HAVE_VISIBILITY], [test "x$HAVE_VISIBILITY" != "x0"]) ++ ++ # Checks for header files. ++--- a/libde265/image-io.cc +++++ b/libde265/image-io.cc ++@@ -183,7 +183,7 @@ ++ } ++ ++ ++-LIBDE265_API PacketSink_File::~PacketSink_File() +++PacketSink_File::~PacketSink_File() ++ { ++ if (mFH) { ++ fclose(mFH); ++@@ -191,7 +191,7 @@ ++ } ++ ++ ++-LIBDE265_API void PacketSink_File::set_filename(const char* filename) +++void PacketSink_File::set_filename(const char* filename) ++ { ++ assert(mFH==NULL); ++ ++@@ -199,7 +199,7 @@ ++ } ++ ++ ++-LIBDE265_API void PacketSink_File::send_packet(const uint8_t* data, int n) +++void PacketSink_File::send_packet(const uint8_t* data, int n) ++ { ++ uint8_t startCode[3]; ++ startCode[0] = 0; ++--- a/libde265/image-io.h +++++ b/libde265/image-io.h ++@@ -30,17 +30,17 @@ ++ class ImageSource ++ { ++ public: ++- LIBDE265_API ImageSource(); ++- virtual LIBDE265_API ~ImageSource() { } +++ ImageSource(); +++ virtual ~ImageSource() { } ++ ++ //enum ImageStatus { Available, Waiting, EndOfVideo }; ++ ++ //virtual ImageStatus get_status() = 0; ++- virtual LIBDE265_API de265_image* get_image(bool block=true) = 0; ++- virtual LIBDE265_API void skip_frames(int n) = 0; +++ virtual de265_image* get_image(bool block=true) = 0; +++ virtual void skip_frames(int n) = 0; ++ ++- virtual LIBDE265_API int get_width() const = 0; ++- virtual LIBDE265_API int get_height() const = 0; +++ virtual int get_width() const = 0; +++ virtual int get_height() const = 0; ++ }; ++ ++ ++@@ -48,17 +48,17 @@ ++ class ImageSource_YUV : public ImageSource ++ { ++ public: ++- LIBDE265_API ImageSource_YUV(); ++- virtual LIBDE265_API ~ImageSource_YUV(); +++ ImageSource_YUV(); +++ virtual ~ImageSource_YUV(); ++ ++- bool LIBDE265_API set_input_file(const char* filename, int w,int h); +++ bool set_input_file(const char* filename, int w,int h); ++ ++ //virtual ImageStatus get_status(); ++- virtual LIBDE265_API de265_image* get_image(bool block=true); ++- virtual LIBDE265_API void skip_frames(int n); +++ virtual de265_image* get_image(bool block=true); +++ virtual void skip_frames(int n); ++ ++- virtual LIBDE265_API int get_width() const { return width; } ++- virtual LIBDE265_API int get_height() const { return height; } +++ virtual int get_width() const { return width; } +++ virtual int get_height() const { return height; } ++ ++ private: ++ FILE* mFH; ++@@ -74,20 +74,20 @@ ++ class ImageSink ++ { ++ public: ++- virtual LIBDE265_API ~ImageSink() { } +++ virtual ~ImageSink() { } ++ ++- virtual LIBDE265_API void send_image(const de265_image* img) = 0; +++ virtual void send_image(const de265_image* img) = 0; ++ }; ++ ++ class ImageSink_YUV : public ImageSink ++ { ++ public: ++- LIBDE265_API ImageSink_YUV() : mFH(NULL) { } ++- LIBDE265_API ~ImageSink_YUV(); +++ ImageSink_YUV() : mFH(NULL) { } +++ ~ImageSink_YUV(); ++ ++- bool LIBDE265_API set_filename(const char* filename); +++ bool set_filename(const char* filename); ++ ++- virtual LIBDE265_API void send_image(const de265_image* img); +++ virtual void send_image(const de265_image* img); ++ ++ private: ++ FILE* mFH; ++@@ -98,21 +98,21 @@ ++ class PacketSink ++ { ++ public: ++- virtual LIBDE265_API ~PacketSink() { } +++ virtual ~PacketSink() { } ++ ++- virtual LIBDE265_API void send_packet(const uint8_t* data, int n) = 0; +++ virtual void send_packet(const uint8_t* data, int n) = 0; ++ }; ++ ++ ++ class PacketSink_File : public PacketSink ++ { ++ public: ++- LIBDE265_API PacketSink_File(); ++- virtual LIBDE265_API ~PacketSink_File(); +++ PacketSink_File(); +++ virtual ~PacketSink_File(); ++ ++- LIBDE265_API void set_filename(const char* filename); +++ void set_filename(const char* filename); ++ ++- virtual LIBDE265_API void send_packet(const uint8_t* data, int n); +++ virtual void send_packet(const uint8_t* data, int n); ++ ++ private: ++ FILE* mFH; ++--- a/libde265/configparam.h +++++ b/libde265/configparam.h ++@@ -95,7 +95,7 @@ ++ bool hasLongOption() const { return true; } //mLongOption!=NULL; } ++ std::string getLongOption() const { return mLongOption ? std::string(mLongOption) : get_name(); } ++ ++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx) { return false; } +++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx) { return false; } ++ ++ ++ ++@@ -132,7 +132,7 @@ ++ virtual std::string get_default_string() const { return default_value ? "true":"false"; } ++ ++ virtual std::string getTypeDescr() const { return "(boolean)"; } ++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx) { set(true); return true; } +++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx) { set(true); return true; } ++ ++ bool set(bool v) { value_set=true; value=v; return true; } ++ ++@@ -162,10 +162,10 @@ ++ virtual bool has_default() const { return default_set; } ++ ++ void set_default(std::string v) { default_value=v; default_set=true; } ++- virtual LIBDE265_API std::string get_default_string() const { return default_value; } +++ virtual std::string get_default_string() const { return default_value; } ++ ++- virtual LIBDE265_API std::string getTypeDescr() const { return "(string)"; } ++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx); +++ virtual std::string getTypeDescr() const { return "(string)"; } +++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx); ++ ++ bool set(std::string v) { value_set=true; value=v; return true; } ++ ++@@ -201,10 +201,10 @@ ++ virtual bool has_default() const { return default_set; } ++ ++ void set_default(int v) { default_value=v; default_set=true; } ++- virtual LIBDE265_API std::string get_default_string() const; +++ virtual std::string get_default_string() const; ++ ++- virtual LIBDE265_API std::string getTypeDescr() const; ++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx); +++ virtual std::string getTypeDescr() const; +++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx); ++ ++ bool set(int v) { ++ if (is_valid(v)) { value_set=true; value=v; return true; } ++@@ -239,7 +239,7 @@ ++ virtual std::vector get_choice_names() const = 0; ++ ++ virtual std::string getTypeDescr() const; ++- virtual LIBDE265_API bool processCmdLineArguments(char** argv, int* argc, int idx); +++ virtual bool processCmdLineArguments(char** argv, int* argc, int idx); ++ ++ const char** get_choices_string_table() const; ++ ++@@ -368,10 +368,10 @@ ++ config_parameters() : param_string_table(NULL) { } ++ ~config_parameters() { delete[] param_string_table; } ++ ++- void LIBDE265_API add_option(option_base* o); +++ void add_option(option_base* o); ++ ++- void LIBDE265_API print_params() const; ++- bool LIBDE265_API parse_command_line_params(int* argc, char** argv, int* first_idx=NULL, +++ void print_params() const; +++ bool parse_command_line_params(int* argc, char** argv, int* first_idx=NULL, ++ bool ignore_unknown_options=false); ++ ++ ++--- a/libde265/quality.h +++++ b/libde265/quality.h ++@@ -26,11 +26,11 @@ ++ #include ++ ++ ++-LIBDE265_API uint32_t SSD(const uint8_t* img, int imgStride, +++uint32_t SSD(const uint8_t* img, int imgStride, ++ const uint8_t* ref, int refStride, ++ int width, int height); ++ ++-LIBDE265_API uint32_t SAD(const uint8_t* img, int imgStride, +++uint32_t SAD(const uint8_t* img, int imgStride, ++ const uint8_t* ref, int refStride, ++ int width, int height); ++ ++@@ -41,7 +41,7 @@ ++ LIBDE265_API double PSNR(double mse); ++ ++ ++-LIBDE265_API uint32_t compute_distortion_ssd(const de265_image* img1, const de265_image* img2, +++uint32_t compute_distortion_ssd(const de265_image* img1, const de265_image* img2, ++ int x0, int y0, int log2size, int cIdx); ++ ++ #endif diff --cc debian/patches/recycle_sps_if_possible.patch index 0000000,0000000..279ecbb new file mode 100644 --- /dev/null +++ b/debian/patches/recycle_sps_if_possible.patch @@@ -1,0 -1,0 +1,292 @@@ ++Description: Don't update sps if they are only repeated ++Origin: https://github.com/strukturag/libde265/pull/372 ++From 51f07f132f29832e025a8b913b61cbd20257c5fc Mon Sep 17 00:00:00 2001 ++From: Tobias Frost ++Date: Fri, 13 Jan 2023 12:22:45 +0100 ++Subject: [PATCH] Don't update sps if they are only repeated ++ ++This is an attempt to improve the mitigations from #365 and #366 and picks up an idea I described at #345: ++ ++> One way would be just to look at the pointers of the SPS (fast and easy, but ++> may reject more than required), or investigate if the SPS used for the image ++> generations are "compatible". ++ ++This changes do exactly this: It (very conservativly) checks if the old and new sps have ++identical information -- except the reference picture set, which I believe is supposed ++to be updated by new sps'). If they are basically identical, the old sps will be ++used instead of the new one, (of course, reference image set is updated from the new one) ++ ++I'm using standalone operator== and helper functions to avoid changing ABI of the library; ++if an ABI bump would be done, of course this should go to the respective classes. ++--- ++ libde265/decctx.cc | 273 +++++++++++++++++++++++++++++++++++++++++++++ ++ libde265/sps.cc | 6 + ++ 2 files changed, 279 insertions(+) ++ ++--- a/libde265/decctx.cc +++++ b/libde265/decctx.cc ++@@ -545,6 +545,219 @@ ++ return DE265_OK; ++ } ++ +++// implemented as freestanding functions to avoid changing API +++ +++bool operator==(const profile_data &lhs, const profile_data &rhs) { +++ if(&lhs == &rhs) return true; +++ if(lhs.profile_present_flag != rhs.profile_present_flag ) return false; +++ if(lhs.profile_present_flag) { +++ if(lhs.profile_space != rhs.profile_space ) return false; +++ if(lhs.tier_flag != rhs.tier_flag ) return false; +++ if(lhs.profile_idc != rhs.profile_idc ) return false; +++ +++ if(memcmp(lhs.profile_compatibility_flag, rhs.profile_compatibility_flag, sizeof(rhs.profile_compatibility_flag)) ) return false; +++ +++ if(lhs.progressive_source_flag != rhs.progressive_source_flag ) return false; +++ if(lhs.interlaced_source_flag != rhs.interlaced_source_flag ) return false; +++ if(lhs.non_packed_constraint_flag != rhs.non_packed_constraint_flag ) return false; +++ if(lhs.frame_only_constraint_flag != rhs.frame_only_constraint_flag ) return false; +++ } +++ +++ if(lhs.level_present_flag != rhs.level_present_flag) return false; +++ if(lhs.level_present_flag && lhs.level_idc != rhs.level_idc ) return false; +++ +++ return true; +++} +++ +++bool operator!=(const profile_data &lhs, const profile_data &rhs) { +++ if(&lhs == &rhs) return false; +++ return (!(lhs==rhs)); +++} +++ +++// class does not store max_sub_layers, so operator == cannot be done. +++bool isEqual(const profile_tier_level &lhs , const profile_tier_level &rhs, int sps_max_sub_layers ) { +++ if(&lhs == &rhs) return true; +++ +++ if(lhs.general != rhs.general ) return false; +++ for(int i = 0 ; i < sps_max_sub_layers; i++ ) { +++ if(lhs.sub_layer[i] != rhs.sub_layer[i]) return false; +++ } +++ return true; +++} +++ +++bool isEqual(const video_usability_information &lhs, const video_usability_information &rhs, const seq_parameter_set &sps) { +++ if(&lhs == &rhs) return true; +++ +++ // not seen yet if(lhs.nal_hrd_parameters_present_flag != rhs.nal_hrd_parameters_present_flag ) return false; +++ +++ // populated by video_usability_information::read() +++ if(lhs.aspect_ratio_info_present_flag != rhs.aspect_ratio_info_present_flag ) return false; +++ if(lhs.aspect_ratio_info_present_flag) { +++ if(lhs.sar_width != rhs.sar_width ) return false; +++ if(lhs.sar_height != rhs.sar_height ) return false; +++ } +++ +++ if(lhs.overscan_info_present_flag != rhs.overscan_info_present_flag ) return false; +++ if(lhs.overscan_info_present_flag) { +++ if(lhs.overscan_appropriate_flag != rhs.overscan_appropriate_flag ) return false; +++ } +++ +++ if(lhs.video_signal_type_present_flag != rhs.video_signal_type_present_flag ) return false; +++ if(lhs.video_signal_type_present_flag) { +++ if(lhs.video_format != rhs.video_format ) return false; +++ if(lhs.video_full_range_flag != rhs.video_full_range_flag) return false; +++ if(lhs.colour_description_present_flag != rhs.colour_description_present_flag) return false; +++ if(lhs.colour_primaries != rhs.colour_primaries ) return false; +++ if(lhs.transfer_characteristics != rhs.transfer_characteristics ) return false; +++ if(lhs.matrix_coeffs != rhs.matrix_coeffs ) return false; +++ } +++ +++ if(lhs.chroma_loc_info_present_flag != rhs.chroma_loc_info_present_flag ) return false; +++ if(lhs.chroma_loc_info_present_flag) { +++ if(lhs.chroma_sample_loc_type_top_field != rhs.chroma_sample_loc_type_top_field ) return false; +++ if(lhs.chroma_sample_loc_type_bottom_field != rhs.chroma_sample_loc_type_bottom_field ) return false; +++ } +++ if(lhs.neutral_chroma_indication_flag != rhs.neutral_chroma_indication_flag ) return false; +++ if(lhs.field_seq_flag != rhs.field_seq_flag ) return false; +++ if(lhs.frame_field_info_present_flag != rhs.frame_field_info_present_flag ) return false; +++ +++ if(lhs.default_display_window_flag != rhs.default_display_window_flag ) return false; +++ if(lhs.default_display_window_flag) { +++ if(lhs.def_disp_win_left_offset != rhs.def_disp_win_left_offset ) return false; +++ if(lhs.def_disp_win_right_offset != rhs.def_disp_win_right_offset ) return false; +++ if(lhs.def_disp_win_top_offset != rhs.def_disp_win_top_offset ) return false; +++ if(lhs.def_disp_win_bottom_offset != rhs.def_disp_win_bottom_offset ) return false; +++ } +++ +++ if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false; +++ if(lhs.vui_timing_info_present_flag) { +++ if(lhs.vui_num_units_in_tick != rhs.vui_num_units_in_tick ) return false; +++ if(lhs.vui_time_scale != rhs.vui_time_scale ) return false; +++ if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false; +++ if(lhs.vui_timing_info_present_flag) { +++ if(lhs.vui_num_ticks_poc_diff_one != rhs.vui_num_ticks_poc_diff_one ) return false; +++ } +++ } +++ +++ if(lhs.bitstream_restriction_flag != rhs.bitstream_restriction_flag ) return false; +++ if(lhs.tiles_fixed_structure_flag != rhs.tiles_fixed_structure_flag ) return false; +++ if(lhs.motion_vectors_over_pic_boundaries_flag != rhs.motion_vectors_over_pic_boundaries_flag ) return false; +++ if(lhs.restricted_ref_pic_lists_flag != rhs.restricted_ref_pic_lists_flag ) return false; +++ if(lhs.min_spatial_segmentation_idc != rhs.min_spatial_segmentation_idc ) return false; +++ if(lhs.max_bytes_per_pic_denom != rhs.max_bytes_per_pic_denom ) return false; +++ if(lhs.max_bits_per_min_cu_denom != rhs.max_bits_per_min_cu_denom ) return false; +++ if(lhs.log2_max_mv_length_horizontal != rhs.log2_max_mv_length_horizontal ) return false; +++ if(lhs.log2_max_mv_length_vertical != rhs.log2_max_mv_length_vertical ) return false; +++ +++ return true; +++} +++ +++bool operator==(const sps_range_extension &lhs, const sps_range_extension &rhs) { +++ if(&lhs == &rhs) return true; +++ if(lhs.transform_skip_rotation_enabled_flag != rhs.transform_skip_rotation_enabled_flag ) return false; +++ if(lhs.transform_skip_context_enabled_flag != rhs.transform_skip_context_enabled_flag ) return false; +++ if(lhs.implicit_rdpcm_enabled_flag != rhs.implicit_rdpcm_enabled_flag ) return false; +++ if(lhs.explicit_rdpcm_enabled_flag != rhs.explicit_rdpcm_enabled_flag ) return false; +++ if(lhs.extended_precision_processing_flag != rhs.extended_precision_processing_flag ) return false; +++ if(lhs.intra_smoothing_disabled_flag != rhs.intra_smoothing_disabled_flag ) return false; +++ if(lhs.high_precision_offsets_enabled_flag != rhs.high_precision_offsets_enabled_flag ) return false; +++ if(lhs.persistent_rice_adaptation_enabled_flag != rhs.persistent_rice_adaptation_enabled_flag ) return false; +++ if(lhs.cabac_bypass_alignment_enabled_flag != rhs.cabac_bypass_alignment_enabled_flag ) return false; +++ return true; +++} +++ +++bool operator!=(const sps_range_extension &lhs, const sps_range_extension &rhs) { +++ if(&lhs == &rhs) return false; +++ return !(lhs==rhs); +++} +++ +++ +++bool operator==(const seq_parameter_set &lhs, const seq_parameter_set &rhs) { +++ +++ if(&lhs== &rhs) return true; +++ +++ if(lhs.sps_read != rhs.sps_read) return false; +++ +++ if(lhs.video_parameter_set_id != rhs.video_parameter_set_id) return false; +++ if(lhs.sps_max_sub_layers != rhs.sps_max_sub_layers) return false; +++ if(lhs.sps_temporal_id_nesting_flag != rhs.sps_temporal_id_nesting_flag) return false; +++ +++ if(!isEqual(lhs.profile_tier_level_, rhs.profile_tier_level_, lhs.sps_max_sub_layers)) return false; +++ +++ if(lhs.seq_parameter_set_id != rhs.seq_parameter_set_id) return false; +++ if(lhs.chroma_format_idc != rhs.chroma_format_idc) return false; +++ +++ if(lhs.separate_colour_plane_flag != rhs.separate_colour_plane_flag) return false; +++ if(lhs.pic_width_in_luma_samples != rhs.pic_width_in_luma_samples) return false; +++ if(lhs.pic_height_in_luma_samples != rhs.pic_height_in_luma_samples) return false; +++ if(lhs.conformance_window_flag != rhs.conformance_window_flag) return false; +++ +++ if(lhs.conformance_window_flag) { +++ if(lhs.conf_win_left_offset != rhs.conf_win_left_offset) return false; +++ if(lhs.conf_win_right_offset != rhs.conf_win_right_offset) return false; +++ if(lhs.conf_win_top_offset != rhs.conf_win_top_offset) return false; +++ if(lhs.conf_win_bottom_offset != rhs.conf_win_bottom_offset) return false; +++ } +++ +++ if(lhs.bit_depth_luma != rhs.bit_depth_luma) return false; +++ if(lhs.bit_depth_chroma != rhs.bit_depth_chroma) return false; +++ +++ if(lhs.log2_max_pic_order_cnt_lsb != rhs.log2_max_pic_order_cnt_lsb) return false; +++ if(lhs.sps_sub_layer_ordering_info_present_flag != rhs.sps_sub_layer_ordering_info_present_flag) return false; +++ +++ if(memcmp(lhs.sps_max_dec_pic_buffering, rhs.sps_max_dec_pic_buffering, sizeof(rhs.sps_max_dec_pic_buffering))) return false; +++ if(memcmp(lhs.sps_max_num_reorder_pics, rhs.sps_max_num_reorder_pics, sizeof(rhs.sps_max_num_reorder_pics))) return false; +++ if(memcmp(lhs.sps_max_latency_increase_plus1, rhs.sps_max_latency_increase_plus1, sizeof(rhs.sps_max_latency_increase_plus1))) return false; +++ +++ if(lhs.log2_min_luma_coding_block_size != rhs.log2_min_luma_coding_block_size) return false; +++ if(lhs.log2_diff_max_min_luma_coding_block_size != rhs.log2_diff_max_min_luma_coding_block_size) return false; +++ if(lhs.log2_min_transform_block_size != rhs.log2_min_transform_block_size) return false; +++ if(lhs.log2_diff_max_min_transform_block_size != rhs.log2_diff_max_min_transform_block_size) return false; +++ if(lhs.max_transform_hierarchy_depth_inter != rhs.max_transform_hierarchy_depth_inter) return false; +++ if(lhs.max_transform_hierarchy_depth_intra != rhs.max_transform_hierarchy_depth_intra) return false; +++ +++ if(lhs.scaling_list_enable_flag != rhs.scaling_list_enable_flag) return false; +++ if(lhs.scaling_list_enable_flag) { +++ if(lhs.sps_scaling_list_data_present_flag != rhs.sps_scaling_list_data_present_flag) return false; +++ if(lhs.sps_scaling_list_data_present_flag) { +++ // compare only needed if present, otherwise it is the default scaling list. +++ if(memcmp(&lhs.scaling_list, &rhs.scaling_list, sizeof(rhs.scaling_list))) return false; +++ } +++ } +++ +++ if(lhs.amp_enabled_flag != rhs.amp_enabled_flag) return false; +++ if(lhs.sample_adaptive_offset_enabled_flag != rhs.sample_adaptive_offset_enabled_flag) return false; +++ if(lhs.pcm_enabled_flag != rhs.pcm_enabled_flag) return false; +++ +++ if(lhs.pcm_enabled_flag) { +++ if(lhs.pcm_sample_bit_depth_luma != rhs.pcm_sample_bit_depth_luma) return false; +++ if(lhs.pcm_sample_bit_depth_chroma != rhs.pcm_sample_bit_depth_chroma) return false; +++ if(lhs.log2_min_pcm_luma_coding_block_size != rhs.log2_min_pcm_luma_coding_block_size) return false; +++ if(lhs.log2_diff_max_min_pcm_luma_coding_block_size != rhs.log2_diff_max_min_pcm_luma_coding_block_size) return false; +++ if(lhs.pcm_loop_filter_disable_flag != rhs.pcm_loop_filter_disable_flag) return false; +++ } +++ +++ // (longterm) reference pics likely to change with a new sps, so ignored here. +++ +++ if(lhs.sps_temporal_mvp_enabled_flag != rhs.sps_temporal_mvp_enabled_flag) return false; +++ if(lhs.strong_intra_smoothing_enable_flag != rhs.strong_intra_smoothing_enable_flag) return false; +++ +++ if(lhs.vui_parameters_present_flag != rhs.vui_parameters_present_flag) return false; +++ if(lhs.vui_parameters_present_flag) { +++ if(!isEqual(lhs.vui, rhs.vui, lhs )) return false; +++ } +++ +++ if(lhs.sps_extension_present_flag != rhs.sps_extension_present_flag ) return false; +++ if(lhs.sps_extension_present_flag) { +++ if(lhs.sps_range_extension_flag != rhs.sps_range_extension_flag ) return false; +++ if(lhs.sps_multilayer_extension_flag != rhs.sps_multilayer_extension_flag ) return false; +++ if(lhs.sps_extension_6bits != rhs.sps_extension_6bits ) return false; +++ if(lhs.range_extension != rhs.range_extension) return false; +++ } +++ +++ return true; +++} +++ ++ de265_error decoder_context::read_sps_NAL(bitreader& reader) ++ { ++ logdebug(LogHeaders,"----> read SPS\n"); ++@@ -560,6 +773,22 @@ ++ new_sps->dump(param_sps_headers_fd); ++ } ++ +++ if ( sps[ new_sps->seq_parameter_set_id ] ) { +++ auto old_sps = sps[ new_sps->seq_parameter_set_id ].get(); +++ if ( *old_sps == *new_sps ) { +++ // printf(" **** keeping sps *****\n"); +++ // the new sps is identical to the old one, so no replacing needed. +++ // however, reference pics and long-term reference pics might need updating. +++ old_sps->ref_pic_sets = new_sps->ref_pic_sets; +++ old_sps->long_term_ref_pics_present_flag = new_sps->long_term_ref_pics_present_flag; +++ memcpy(old_sps->lt_ref_pic_poc_lsb_sps, new_sps->lt_ref_pic_poc_lsb_sps, sizeof(old_sps->lt_ref_pic_poc_lsb_sps)); +++ memcpy(old_sps->used_by_curr_pic_lt_sps_flag, new_sps->used_by_curr_pic_lt_sps_flag, sizeof(old_sps->used_by_curr_pic_lt_sps_flag)); +++ return DE265_OK; +++ } +++ //printf(" **** replacing sps *****\n"); +++ +++ } +++ ++ sps[ new_sps->seq_parameter_set_id ] = new_sps; ++ ++ // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to ++--- a/libde265/sps.cc +++++ b/libde265/sps.cc ++@@ -282,6 +282,11 @@ ++ int firstLayer = (sps_sub_layer_ordering_info_present_flag ? ++ 0 : sps_max_sub_layers-1 ); ++ +++ // zero out so that comparing is easier. +++ memset(sps_max_dec_pic_buffering, 0 , sizeof(sps_max_dec_pic_buffering)); +++ memset(sps_max_num_reorder_pics, 0 , sizeof(sps_max_num_reorder_pics)); +++ memset(sps_max_latency_increase_plus1, 0 , sizeof(sps_max_latency_increase_plus1)); +++ ++ for (int i=firstLayer ; i <= sps_max_sub_layers-1; i++ ) { ++ ++ // sps_max_dec_pic_buffering[i] ++@@ -342,6 +347,7 @@ ++ if (sps_scaling_list_data_present_flag) { ++ ++ de265_error err; +++ memset(&scaling_list, 0 , sizeof(scaling_list)); // zero out, so that memcmp will do it to check for equality. ++ if ((err=read_scaling_list(br,this, &scaling_list, false)) != DE265_OK) { ++ return err; ++ } diff --cc debian/patches/reject_reference_pics_from_different_sps.patch index 0000000,0000000..80f24a5 new file mode 100644 --- /dev/null +++ b/debian/patches/reject_reference_pics_from_different_sps.patch @@@ -1,0 -1,0 +1,54 @@@ ++Description: Try to mitigate asan failures by rejecting reference pictures not created with the same sps. ++ The reference images might have different parameters (size, pixel depth, etc) and so different memory allocations, ++ leading to out of bound memory reads and writes. ++Origin: https://github.com/strukturag/libde265/pull/365 ++Comment: Analysis of issue https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079 ++From 97dd15303085eae2695a511717bf3239e209df96 Mon Sep 17 00:00:00 2001 ++From: Tobias Frost ++Date: Mon, 12 Dec 2022 14:03:12 +0100 ++Subject: [PATCH] Try to mitigate asan failures. ++MIME-Version: 1.0 ++Content-Type: text/plain; charset=UTF-8 ++Content-Transfer-Encoding: 8bit ++ ++See #345 for my analysis and details… ++ ++(This PR is just for discussion.) ++ ++(The CVE references are obtained from the Debian security tracker, ++which links the issues.) ++ ++This makes the following POCs stop failing: ++ ++- poc3 (#337) ++- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2) ++- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1) ++- poc11-1, poc11-2 (#345) CVE-2022-43249 ++- poc12 (#346) ++- poc13 (#347) CVE-2022-43252 ++- poc16 (#350) ++--- ++ libde265/motion.cc | 10 ++++++++++ ++ 1 file changed, 10 insertions(+) ++ ++--- a/libde265/motion.cc +++++ b/libde265/motion.cc ++@@ -349,7 +349,17 @@ ++ ++ logtrace(LogMotion, "refIdx: %d -> dpb[%d]\n", vi->refIdx[l], shdr->RefPicList[l][vi->refIdx[l]]); ++ ++- if (refPic->PicState == UnusedForReference) { +++ if (refPic) { +++ auto nonconst_refPic = const_cast(refPic); /* shared_ptr.get() chokes on const.*/ +++ auto refsps = nonconst_refPic->get_shared_sps().get(); +++ auto imgsps = img->get_shared_sps().get(); +++ if(refsps != imgsps) { +++ // rejecting reference image created with different sps. +++ refPic = nullptr; +++ } +++ } +++ +++ if (!refPic || refPic->PicState == UnusedForReference) { ++ img->integrity = INTEGRITY_DECODING_ERRORS; ++ ctx->add_warning(DE265_WARNING_NONEXISTING_REFERENCE_PICTURE_ACCESSED, false); ++ diff --cc debian/patches/series index 0000000,0000000..795764e new file mode 100644 --- /dev/null +++ b/debian/patches/series @@@ -1,0 -1,0 +1,17 @@@ ++only_export_decoder_api.patch ++disable_tools.patch ++ffmpeg_2.9.patch ++fix-invalid-memory-access.patch ++CVE-2020-21599.patch ++CVE-2021-35452.patch ++CVE-2021-36408.patch ++CVE-2021-36409.patch ++CVE-2021-36410.patch ++CVE-2021-36411.patch ++reject_reference_pics_from_different_sps.patch ++use_sps_from_the_image.patch ++recycle_sps_if_possible.patch ++check-4-negative-Q-value.patch ++CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch ++CVE-2020-21596-global-buffer-overflow.patch ++fix-use-after-free.patch diff --cc debian/patches/use_sps_from_the_image.patch index 0000000,0000000..552add5 new file mode 100644 --- /dev/null +++ b/debian/patches/use_sps_from_the_image.patch @@@ -1,0 -1,0 +1,60 @@@ ++Description: Use sps of the image, not the sps of the pic parameter set (pps) ++ When decoding a slice, all decoding functions are using the sps of the target ++ image to determine the image properties, which are in the seqquence parameter ++ set) -- execpt generate_inter_prediction_samples(), which uses the sps from the ++ pps, which might have different properties and trick the decode to out-of-bound ++ memory accesses, leading to crashes. ++Origin: https://github.com/strukturag/libde265/pull/366 ++From 36391cda3d4e4fb3269a2ce310e6e0f634729f0b Mon Sep 17 00:00:00 2001 ++From: Tobias Frost ++Date: Mon, 12 Dec 2022 14:33:40 +0100 ++Subject: [PATCH] Use the sps from the image ++ ++(as e.g mc_chroma is using the sps to determine ++picture properties, like pic_width_in_luma_samples ++and pic_height_in_luma_samples, I *think* this is ++more correct. ++ ++This PR is for discussion. (See #345.) ++It makes the failures go away, but that does not mean it's correct :) ++ ++The following poc will be stop failing if (only) this ++patch is applied: ++ ++ - poc2 #336 - CVE-2022-43238 ++ - poc4 #338 - CVE-2022-43241 ++ - poc6-1, poc6-2 #340 - CVE-2022-43242 ++ - poc7-1, poc7-2 #341 - CVE-2022-43239 ++ - poc8-1 #342 - CVE-2022-43244 ++ - poc9-3 #343 - CVE-2022-43236 ++ - poc10-2, poc10-3 #344 - CVE-2022-43237 ++ - poc16 #350 ++ - poc19 #353 ++ ++The following are still failing if only this patch is ++applied, but they stop failing if #365 is applied as well, but will ++still fail with ONLY #365 applied (IOW, both are needed) ++ ++ - poc1 #335 - CVE-2022-43240 ++ - poc3 #337 - CVE-2022-43235 ++ - poc5 #339 - CVE-2022-43423 ++ - poc9-1,poc9-2, poc9-4 #343 - CVE-2022-43236 ++ - poc14 #348 - CVE-2022-43253 ++ - poc15 #349 - CVE-2022-43248 ++ - poc17-1, poc17-2 #351 ++ - poc18 #352 - CVE-2022-43245 ++--- ++ libde265/motion.cc | 2 +- ++ 1 file changed, 1 insertion(+), 1 deletion(-) ++ ++--- a/libde265/motion.cc +++++ b/libde265/motion.cc ++@@ -291,7 +291,7 @@ ++ int stride[3]; ++ ++ const pic_parameter_set* pps = shdr->pps; ++- const seq_parameter_set* sps = pps->sps; +++ const seq_parameter_set* sps = &img->get_sps(); ++ ++ const int SubWidthC = sps->SubWidthC; ++ const int SubHeightC = sps->SubHeightC; diff --cc debian/rules index 0000000,0000000..c7ce6f7 new file mode 100755 --- /dev/null +++ b/debian/rules @@@ -1,0 -1,0 +1,16 @@@ ++#!/usr/bin/make -f ++#export DH_VERBOSE=1 ++ ++%: ++ dh $@ ++ ++override_dh_auto_install: ++ dh_auto_install ++ cd $(CURDIR)/debian/tmp/usr/bin/ && mv dec265 libde265-dec265 ++ if [ -e "$(CURDIR)/debian/tmp/usr/bin/sherlock265" ]; then \ ++ cd $(CURDIR)/debian/tmp/usr/bin/ && mv sherlock265 \ ++ libde265-sherlock265; \ ++ fi ++ ++override_dh_strip: ++ dh_strip --ddeb-migration='libde265-dbg (<< 1.0.2-2~)' diff --cc debian/source/format index 0000000,0000000..163aaf8 new file mode 100644 --- /dev/null +++ b/debian/source/format @@@ -1,0 -1,0 +1,1 @@@ ++3.0 (quilt) diff --cc debian/watch index 0000000,0000000..1f72711 new file mode 100644 --- /dev/null +++ b/debian/watch @@@ -1,0 -1,0 +1,4 @@@ ++version=3 ++opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/libde265-$1\.tar\.gz/,\ ++downloadurlmangle=s/.+\/v?(\d\S*)\.tar\.gz/https:\/\/github\.com\/strukturag\/libde265\/releases\/download\/v$1\/libde265-$1\.tar\.gz/ \ ++ https://github.com/strukturag/libde265/tags .*/v?(\d\S*)\.tar\.gz