From 6264ac63b5bea8869a79455d18553dc76b4e69a7 Mon Sep 17 00:00:00 2001 From: Dirk Farin Date: Tue, 5 Apr 2022 17:53:43 +0200 Subject: [PATCH] [PATCH] fix assertion when reading invalid scaling_list (#300) Gbp-Pq: Name 0004-CVE-2021-36409.patch --- libde265/sps.cc | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libde265/sps.cc b/libde265/sps.cc index 387ea75..8a4f955 100644 --- a/libde265/sps.cc +++ b/libde265/sps.cc @@ -879,19 +879,23 @@ de265_error read_scaling_list(bitreader* br, const seq_parameter_set* sps, //int n = ((sizeId==3) ? 2 : 6); uint8_t scaling_list[6][32*32]; + // Note: we use a different matrixId for the second matrix of size 3 (we use '3' instead of '1'). for (int matrixId=0 ; matrixId<6 ; matrixId += (sizeId==3 ? 3 : 1)) { uint8_t* curr_scaling_list = scaling_list[matrixId]; int scaling_list_dc_coef; - int canonicalMatrixId = matrixId; - if (sizeId==3 && matrixId==1) { canonicalMatrixId=3; } - //printf("----- matrix %d\n",matrixId); char scaling_list_pred_mode_flag = get_bits(br,1); if (!scaling_list_pred_mode_flag) { int scaling_list_pred_matrix_id_delta = get_uvlc(br); + + if (sizeId==3) { + // adapt to our changed matrixId for size 3 + scaling_list_pred_matrix_id_delta *= 3; + } + if (scaling_list_pred_matrix_id_delta == UVLC_ERROR || scaling_list_pred_matrix_id_delta > matrixId) { return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE; @@ -907,15 +911,14 @@ de265_error read_scaling_list(bitreader* br, const seq_parameter_set* sps, memcpy(curr_scaling_list, default_ScalingList_4x4, 16); } else { - if (canonicalMatrixId<3) + if (matrixId<3) { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); } else { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); } } } else { - // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ? - if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); } + if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==3); } int mID = matrixId - scaling_list_pred_matrix_id_delta; -- 2.30.2