summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Tobias Frost [Mon, 12 Dec 2022 13:33:40 +0000 (14:33 +0100)]
[PATCH] Use the sps from the image
(as e.g mc_chroma is using the sps to determine
picture properties, like pic_width_in_luma_samples
and pic_height_in_luma_samples, I *think* this is
more correct.
This PR is for discussion. (See #345.)
It makes the failures go away, but that does not mean it's correct :)
The following poc will be stop failing if (only) this
patch is applied:
- poc2 #336 - CVE-2022-43238
- poc4 #338 - CVE-2022-43241
- poc6-1, poc6-2 #340 - CVE-2022-43242
- poc7-1, poc7-2 #341 - CVE-2022-43239
- poc8-1 #342 - CVE-2022-43244
- poc9-3 #343 - CVE-2022-43236
- poc10-2, poc10-3 #344 - CVE-2022-43237
- poc16 #350
- poc19 #353
The following are still failing if only this patch is
applied, but they stop failing if #365 is applied as well, but will
still fail with ONLY #365 applied (IOW, both are needed)
- poc1 #335 - CVE-2022-43240
- poc3 #337 - CVE-2022-43235
- poc5 #339 - CVE-2022-43423
- poc9-1,poc9-2, poc9-4 #343 - CVE-2022-43236
- poc14 #348 - CVE-2022-43253
- poc15 #349 - CVE-2022-43248
- poc17-1, poc17-2 #351
- poc18 #352 - CVE-2022-43245
Gbp-Pq: Name use_sps_from_the_image.patch
Tobias Frost [Mon, 12 Dec 2022 13:03:12 +0000 (14:03 +0100)]
[PATCH] Try to mitigate asan failures.
See #345 for my analysis and details…
(This PR is just for discussion.)
(The CVE references are obtained from the Debian security tracker,
which links the issues.)
This makes the following POCs stop failing:
- poc3 (#337)
- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2)
- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1)
- poc11-1, poc11-2 (#345) CVE-2022-43249
- poc12 (#346)
- poc13 (#347) CVE-2022-43252
- poc16 (#350)
Gbp-Pq: Name reject_reference_pics_from_different_sps.patch
Joachim Bauch [Fri, 29 Dec 2023 22:03:02 +0000 (23:03 +0100)]
Disable building of some internal tools that no longer link
because internal symbols are no longer exported.
Gbp-Pq: Name disable_tools.patch
Joachim Bauch [Fri, 29 Dec 2023 22:03:02 +0000 (23:03 +0100)]
Only export symbols defined in the decoder API.
The encoder API is not final yet, so upstream exports all symbols to make
development easier. For packaging we only want to expose the public API.
Gbp-Pq: Name only_export_decoder_api.patch
Thorsten Alteholz [Fri, 29 Dec 2023 22:03:02 +0000 (23:03 +0100)]
libde265 (1.0.11-0+deb11u3) bullseye; urgency=high
* Non-maintainer upload by the LTS Team.
(Closes: #
1059275)
* CVE-2023-49465
heap-buffer-overflow in derive_spatial_luma_vector_prediction()
* CVE-2023-49467
heap-buffer-overflow in derive_combined_bipredictive_merging_candidates()
* CVE-2023-49468
global buffer overflow in read_coding_unit()
[dgit import unpatched libde265 1.0.11-0+deb11u3]
Thorsten Alteholz [Fri, 29 Dec 2023 22:03:02 +0000 (23:03 +0100)]
Import libde265_1.0.11-0+deb11u3.debian.tar.xz
[dgit import tarball libde265 1.0.11-0+deb11u3 libde265_1.0.11-0+deb11u3.debian.tar.xz]
Tobias Frost [Sat, 4 Feb 2023 16:18:48 +0000 (17:18 +0100)]
Import libde265_1.0.11.orig.tar.gz
[dgit import orig libde265_1.0.11.orig.tar.gz]
projects / libde265.git / log