From: Dirk Farin <dirk.farin@gmail.com>
Date: Tue, 5 Apr 2022 15:53:43 +0000 (+0200)
Subject: [PATCH] fix assertion when reading invalid scaling_list (#300)
X-Git-Tag: archive/raspbian/1.0.3-1+rpi1+deb10u1^2~3
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=fdeca97d3565e0882c86a3d413d201b29cf8bf4d;p=libde265.git

[PATCH] fix assertion when reading invalid scaling_list (#300)


Gbp-Pq: Name CVE-2021-36409.patch
---

diff --git a/libde265/sps.cc b/libde265/sps.cc
index 00b54dd..ab05290 100644
--- a/libde265/sps.cc
+++ b/libde265/sps.cc
@@ -881,19 +881,23 @@ de265_error read_scaling_list(bitreader* br, const seq_parameter_set* sps,
     int n = ((sizeId==3) ? 2 : 6);
     uint8_t scaling_list[6][32*32];
 
+    // Note: we use a different matrixId for the second matrix of size 3 (we use '3' instead of '1').
     for (int matrixId=0;matrixId<n;matrixId++) {
       uint8_t* curr_scaling_list = scaling_list[matrixId];
       int scaling_list_dc_coef;
 
-      int canonicalMatrixId = matrixId;
-      if (sizeId==3 && matrixId==1) { canonicalMatrixId=3; }
-
 
       //printf("----- matrix %d\n",matrixId);
 
       char scaling_list_pred_mode_flag = get_bits(br,1);
       if (!scaling_list_pred_mode_flag) {
         int scaling_list_pred_matrix_id_delta = get_uvlc(br);
+
+	if (sizeId==3) {
+	  // adapt to our changed matrixId for size 3
+	  scaling_list_pred_matrix_id_delta *= 3;
+	}
+
         if (scaling_list_pred_matrix_id_delta == UVLC_ERROR ||
             scaling_list_pred_matrix_id_delta > matrixId) {
           return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
@@ -909,15 +913,14 @@ de265_error read_scaling_list(bitreader* br, const seq_parameter_set* sps,
             memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
           }
           else {
-            if (canonicalMatrixId<3)
+            if (matrixId<3)
               { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
             else
               { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
           }
         }
         else {
-          // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
-          if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
+          if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==3); }
 
           int mID = matrixId - scaling_list_pred_matrix_id_delta;