From 9839bec8f0ad8c561cd63866b2bcae87258f87b5 Mon Sep 17 00:00:00 2001
From: Dirk Farin <dirk.farin@gmail.com>
Date: Sat, 4 Mar 2023 10:27:59 +0100
Subject: [PATCH] [PATCH] check for valid slice header index access (fixes
 #394)

Gbp-Pq: Name CVE-2023-27103.patch
---
 libde265/de265.cc  |  2 ++
 libde265/de265.h   |  3 ++-
 libde265/motion.cc | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/libde265/de265.cc b/libde265/de265.cc
index ab96e77..6ff0191 100644
--- a/libde265/de265.cc
+++ b/libde265/de265.cc
@@ -174,6 +174,8 @@ LIBDE265_API const char* de265_get_error_text(de265_error err)
     return "Bit-depth of current image does not match SPS";
   case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
     return "Chroma format of reference image does not match current image";
+  case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
+    return "Access with invalid slice header index";
 
   default: return "unknown error";
   }
diff --git a/libde265/de265.h b/libde265/de265.h
index 51147cc..b160be4 100644
--- a/libde265/de265.h
+++ b/libde265/de265.h
@@ -145,7 +145,8 @@ typedef enum {
   DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
   DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
   DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
-  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
+  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
+  DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
 } de265_error;
 
 LIBDE265_API const char* de265_get_error_text(de265_error err);
diff --git a/libde265/motion.cc b/libde265/motion.cc
index 5c47404..f33e23f 100644
--- a/libde265/motion.cc
+++ b/libde265/motion.cc
@@ -1266,6 +1266,16 @@ void derive_collocated_motion_vectors(base_context* ctx,
 
 
 
+  int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
+  if (slice_hdr_idx >= colImg->slices.size()) {
+    ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
+
+    *out_availableFlagLXCol = 0;
+    out_mvLXCol->x = 0;
+    out_mvLXCol->y = 0;
+    return;
+  }
+
   const slice_segment_header* colShdr = colImg->slices[ colImg->get_SliceHeaderIndex(xColPb,yColPb) ];
 
   if (shdr->LongTermRefPic[X][refIdxLX] !=
-- 
2.30.2