File: 0001-h266parser-Fix-overflow-when-parsing-subpic_level_in.patch

package info (click to toggle)
gst-plugins-bad1.0 1.26.2-3
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 70,052 kB
  • sloc: ansic: 722,676; cpp: 276,878; objc: 3,556; xml: 3,351; sh: 1,035; python: 473; makefile: 175; java: 75
file content (62 lines) | stat: -rw-r--r-- 2,939 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
From 596cf19c0c4c92b31c4ef315a0278586b0772b93 Mon Sep 17 00:00:00 2001
From: He Junyan <junyan.he@intel.com>
Date: Tue, 24 Jun 2025 21:40:26 +0800
Subject: [PATCH 1/3] h266parser: Fix overflow when parsing subpic_level_info

1. non_subpic_layers_fraction, ref_level_idc and ref_level_fraction_minus1
   fields should not have the GST_H266_MAX_SUBLAYERS limitation.
2. Should check max_sublayers_minus1, no more than GST_H266_MAX_SUBLAYERS-1

Fixes ZDI-CAN-27381, CVE-2025-6663

Closes: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4503
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9295>
---
 .../gst-libs/gst/codecparsers/gsth266parser.c             | 4 ++++
 .../gst-libs/gst/codecparsers/gsth266parser.h             | 8 +++++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/gst-libs/gst/codecparsers/gsth266parser.c b/gst-libs/gst/codecparsers/gsth266parser.c
index ec861dea47..0f52e5fa4e 100644
--- a/gst-libs/gst/codecparsers/gsth266parser.c
+++ b/gst-libs/gst/codecparsers/gsth266parser.c
@@ -1620,6 +1620,10 @@ gst_h266_parser_parse_subpic_level_info (GstH266SubPicLevelInfo * sli,
     READ_UE_MAX (nr, sli->num_subpics_minus1, GST_H266_MAX_SLICES_PER_AU - 1);

   READ_UINT8 (nr, sli->max_sublayers_minus1, 3);
+  /* The value of sli_max_sublayers_minus1 shall be equal to
+     vps_max_sublayers_minus1. */
+  CHECK_ALLOWED_MAX (sli->max_sublayers_minus1, GST_H266_MAX_SUBLAYERS - 1);
+
   READ_UINT8 (nr, sli->sublayer_info_present_flag, 1);

   while (!nal_reader_is_byte_aligned (nr))
diff --git a/gst-libs/gst/codecparsers/gsth266parser.h b/gst-libs/gst/codecparsers/gsth266parser.h
index a53e0ea615..a9df8d86c7 100644
--- a/gst-libs/gst/codecparsers/gsth266parser.h
+++ b/gst-libs/gst/codecparsers/gsth266parser.h
@@ -43,6 +43,8 @@ G_BEGIN_DECLS
 /* 7.4.3.3 The value of vps_max_sublayers_minus1
  * shall be in the range of 0 to 6, inclusive */
 #define GST_H266_MAX_SUBLAYERS 7
+/* 3-bit minus1 value, so max is 7+1 */
+#define GST_H266_MAX_SLI_REF_LEVELS 8
 /* 7.4.3.3 vps_num_output_layer_sets_minus2 is u(8) */
 #define GST_H266_MAX_TOTAL_NUM_OLSS 257
 /* 7.4.3.3 vps_num_ptls_minus1 shall be less than TotalNumOlss,
@@ -3171,9 +3173,9 @@ struct _GstH266SubPicLevelInfo {
   guint16 num_subpics_minus1;
   guint8 max_sublayers_minus1;
   guint8 sublayer_info_present_flag;
-  guint8 non_subpic_layers_fraction[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SUBLAYERS];
-  guint8 ref_level_idc[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SUBLAYERS];
-  guint8 ref_level_fraction_minus1[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SLICES_PER_AU][GST_H266_MAX_SUBLAYERS];
+  guint8 non_subpic_layers_fraction[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SUBLAYERS];
+  guint8 ref_level_idc[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SUBLAYERS];
+  guint8 ref_level_fraction_minus1[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SLICES_PER_AU][GST_H266_MAX_SUBLAYERS];
 };

 /**
--
2.50.0