From 25329da4b78aa677a134db6a6b04fa19eedbca5a Mon Sep 17 00:00:00 2001
From: Dirk Farin <dirk.farin@gmail.com>
Date: Tue, 23 Feb 2021 15:11:09 +0100
Subject: [PATCH] [PATCH] return error when PCM bits parameter exceeds pixel
 depth (#225)

Gbp-Pq: Name CVE-2020-21599.patch
---
 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/libde265/de265.cc b/libde265/de265.cc
index ec432be..8eabb70 100644
--- a/libde265/de265.cc
+++ b/libde265/de265.cc
@@ -156,6 +156,8 @@ LIBDE265_API const char* de265_get_error_text(de265_error err)
     return "SPS header missing, cannot decode SEI";
   case DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA:
     return "collocated motion-vector is outside image area";
+  case DE265_WARNING_PCM_BITDEPTH_TOO_LARGE:
+    return "PCM bit-depth too large";
 
   default: return "unknown error";
   }
diff --git a/libde265/de265.h b/libde265/de265.h
index 6481d8f..d23959a 100644
--- a/libde265/de265.h
+++ b/libde265/de265.h
@@ -135,7 +135,8 @@ typedef enum {
   DE265_NON_EXISTING_LT_REFERENCE_CANDIDATE_IN_SLICE_HEADER=1023,
   DE265_WARNING_CANNOT_APPLY_SAO_OUT_OF_MEMORY=1024,
   DE265_WARNING_SPS_MISSING_CANNOT_DECODE_SEI=1025,
-  DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026
+  DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026,
+  DE265_WARNING_PCM_BITDEPTH_TOO_LARGE=1027
 } de265_error;
 
 LIBDE265_API const char* de265_get_error_text(de265_error err);
diff --git a/libde265/sps.cc b/libde265/sps.cc
index 15bc5af..00b54dd 100644
--- a/libde265/sps.cc
+++ b/libde265/sps.cc
@@ -360,6 +360,16 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
     READ_VLC_OFFSET(log2_min_pcm_luma_coding_block_size, uvlc, 3);
     READ_VLC(log2_diff_max_min_pcm_luma_coding_block_size, uvlc);
     pcm_loop_filter_disable_flag = get_bits(br,1);
+
+    if (pcm_sample_bit_depth_luma > bit_depth_luma) {
+      errqueue->add_warning(DE265_WARNING_PCM_BITDEPTH_TOO_LARGE, false);
+      return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
+    }
+
+    if (pcm_sample_bit_depth_chroma > bit_depth_chroma) {
+      errqueue->add_warning(DE265_WARNING_PCM_BITDEPTH_TOO_LARGE, false);
+      return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
+    }
   }
   else {
     pcm_sample_bit_depth_luma = 0;
-- 
2.30.2