Package: libde265 / 1.0.11-1+deb12u2

CVE-2023-27103.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
commit d6bf73e765b7a23627bfd7a8645c143fd9097995
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Sat Mar 4 10:27:59 2023 +0100

    check for valid slice header index access (fixes #394)

Index: libde265-1.0.11/libde265/de265.cc
===================================================================
--- libde265-1.0.11.orig/libde265/de265.cc	2023-11-19 19:08:22.851224558 +0100
+++ libde265-1.0.11/libde265/de265.cc	2023-11-19 19:08:22.847224554 +0100
@@ -174,6 +174,8 @@
     return "Bit-depth of current image does not match SPS";
   case DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH:
     return "Chroma format of reference image does not match current image";
+  case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS:
+    return "Access with invalid slice header index";
 
   default: return "unknown error";
   }
Index: libde265-1.0.11/libde265/de265.h
===================================================================
--- libde265-1.0.11.orig/libde265/de265.h	2023-11-19 19:08:22.851224558 +0100
+++ libde265-1.0.11/libde265/de265.h	2023-11-19 19:08:22.847224554 +0100
@@ -145,7 +145,8 @@
   DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029,
   DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030,
   DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031,
-  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032
+  DE265_WARNING_REFERENCE_IMAGE_CHROMA_FORMAT_DOES_NOT_MATCH=1032,
+  DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033
 } de265_error;
 
 LIBDE265_API const char* de265_get_error_text(de265_error err);
Index: libde265-1.0.11/libde265/motion.cc
===================================================================
--- libde265-1.0.11.orig/libde265/motion.cc	2023-11-19 19:08:22.851224558 +0100
+++ libde265-1.0.11/libde265/motion.cc	2023-11-19 19:08:22.847224554 +0100
@@ -1266,6 +1266,16 @@
 
 
 
+  int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb);
+  if (slice_hdr_idx >= colImg->slices.size()) {
+    ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false);
+
+    *out_availableFlagLXCol = 0;
+    out_mvLXCol->x = 0;
+    out_mvLXCol->y = 0;
+    return;
+  }
+
   const slice_segment_header* colShdr = colImg->slices[ colImg->get_SliceHeaderIndex(xColPb,yColPb) ];
 
   if (shdr->LongTermRefPic[X][refIdxLX] !=