From fa88fb72586b0a744f7f58ab6d1ef6ff2b8c249d Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Wed, 4 Jan 2023 10:56:03 +0100
Subject: [PATCH] [PATCH] fixed #2366

Gbp-Pq: Name CVE-2023-23143.patch
---
 src/media_tools/av_parsers.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/media_tools/av_parsers.c b/src/media_tools/av_parsers.c
index 3ae894b..40f9bd2 100644
--- a/src/media_tools/av_parsers.c
+++ b/src/media_tools/av_parsers.c
@@ -5558,9 +5558,10 @@ static s32 avc_parse_slice(GF_BitStream *bs, AVCState *avc, Bool svc_idr_flag, A
 	if (si->slice_type > 9) return -1;
 
 	pps_id = gf_bs_get_ue(bs);
-	if ((pps_id < 0) || (pps_id > 255)) return -1;
+	if ((pps_id < 0) || (pps_id >= 255)) return -1;
 	si->pps = &avc->pps[pps_id];
 	if (!si->pps->slice_group_count) return -2;
+        if (si->pps->sps_id>=32) return -1;
 	si->sps = &avc->sps[si->pps->sps_id];
 	if (!si->sps->log2_max_frame_num) return -2;
 	avc->sps_active_idx = si->pps->sps_id;
@@ -5668,7 +5669,7 @@ static s32 svc_parse_slice(GF_BitStream *bs, AVCState *avc, AVCSliceInfo *si)
 	if (si->slice_type > 9) return -1;
 
 	pps_id = gf_bs_get_ue(bs);
-	if ((pps_id < 0) || (pps_id > 255))
+	if ((pps_id < 0) || (pps_id >= 255))
 		return -1;
 	si->pps = &avc->pps[pps_id];
 	si->pps->id = pps_id;
-- 
2.30.2