From 9229127c76508aa1b29d62a1331497aa47f8341b Mon Sep 17 00:00:00 2001
From: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Date: Wed, 1 Sep 2021 20:50:08 +0100
Subject: [PATCH] CVE-2021-30014_CVE-2021-30020_CVE-2021-30022

Backport of

From 51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Mon, 29 Mar 2021 09:34:02 +0200
Subject: [PATCH] add safety in avc/hevc/vvc sps/pps/vps ID check - cf #1720
 #1721 #1722


Gbp-Pq: Name CVE-2021-30014_CVE-2021-30020_CVE-2021-30022.patch
---
 src/media_tools/av_parsers.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c
index 3d7520f..6fb3d6f 100644
--- a/src/media_tools/av_parsers.c
+++ b/src/media_tools/av_parsers.c
@@ -5012,10 +5012,7 @@ static s32 gf_media_avc_read_sps_bs_internal(GF_BitStream *bs, AVCState *avc, u3
 	by subset SPS. According to the SVC standard, subset SPS can have the same sps_id
 	than its base layer, but it does not refer to the same SPS. */
 	sps_id = gf_bs_get_ue(bs) + GF_SVC_SSPS_ID_SHIFT * subseq_sps;
-	if (sps_id >= 32) {
-		return -1;
-	}
-	if (sps_id < 0) {
+	if ((sps_id < 0) || (sps_id >= 32)) {
 		return -1;
 	}
 
@@ -5342,7 +5339,7 @@ static s32 gf_media_avc_read_pps_bs_internal(GF_BitStream *bs, AVCState *avc, u3
 		/*nal_hdr = */gf_bs_read_u8(bs);
 	}
 	pps_id = gf_bs_get_ue(bs);
-	if (pps_id >= 255) {
+	if ((pps_id<0) || (pps_id >= 255)) {
 		return -1;
 	}
 	pps = &avc->pps[pps_id];
@@ -5350,7 +5347,7 @@ static s32 gf_media_avc_read_pps_bs_internal(GF_BitStream *bs, AVCState *avc, u3
 
 	if (!pps->status) pps->status = 1;
 	pps->sps_id = gf_bs_get_ue(bs);
-	if (pps->sps_id >= 32) {
+	if ((pps->sps_id<0) || (pps->sps_id >= 32)) {
 		pps->sps_id = 0;
 		return -1;
 	}
@@ -6595,7 +6592,7 @@ s32 hevc_parse_slice_segment(GF_BitStream *bs, HEVCState *hevc, HEVCSliceInfo *s
 	}
 
 	pps_id = gf_bs_get_ue(bs);
-	if (pps_id >= 64)
+	if ((pps_id<0) || (pps_id >= 64))
 		return -1;
 
 	pps = &hevc->pps[pps_id];
@@ -7409,7 +7406,7 @@ static s32 gf_media_hevc_read_vps_bs_internal(GF_BitStream *bs, HEVCState *hevc,
 	//nalu header already parsed
 	vps_id = gf_bs_read_int(bs, 4);
 
-	if (vps_id >= 16) return -1;
+	if ((vps_id<0) || (vps_id >= 16)) return -1;
 
 	vps = &hevc->vps[vps_id];
 	vps->bit_pos_vps_extensions = -1;
@@ -7637,7 +7634,7 @@ static s32 gf_media_hevc_read_sps_bs_internal(GF_BitStream *bs, HEVCState *hevc,
 
 	//nalu header already parsed
 	vps_id = gf_bs_read_int(bs, 4);
-	if (vps_id >= 16) {
+	if ((vps_id<0) || (vps_id >= 16)) {
 		return -1;
 	}
 	memset(&ptl, 0, sizeof(ptl));
-- 
2.30.2