From: Maintainers of GStreamer packages <gst-plugins-bad1.0@packages.debian.org>
Date: Sun, 26 Nov 2023 20:55:02 +0000 (+0200)
Subject: CVE-2023-40476
X-Git-Tag: archive/raspbian/1.14.4-1+rvt+deb10u5^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fcc883a4378e07c7a8ae59d74e2ed421d617e93d;p=gst-plugins-bad1.0.git

CVE-2023-40476

commit fddda166222a067d0e511950a0a8cfb9f5a521b7
Author: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Date:   Wed Aug 9 12:49:19 2023 -0400

    h265parser: Fix possible overflow using max_sub_layers_minus1

    This fixes a possible overflow that can be triggered by an invalid value of
    max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
    but the allowed range is 0 to 6 only.

    Fixes ZDI-CAN-21768, CVE-2023-40476

    Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895

    Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5366>


Gbp-Pq: Name CVE-2023-40476.patch
---

diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
index c59b58b..6c53e23 100644
--- a/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/gst-libs/gst/codecparsers/gsth265parser.c
@@ -1415,6 +1415,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
 
   READ_UINT8 (&nr, vps->max_layers_minus1, 6);
   READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+  CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
   READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
 
   /* skip reserved_0xffff_16bits */
@@ -1558,6 +1559,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
   sps->vps = vps;
 
   READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+  CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
   READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
 
   if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,