Codebase list libde265 / 6348bc9
Merge branch 'tobi_NMU_15_CVE' into 'master' Tobi nmu 15 cve See merge request multimedia-team/libde265!3 Sebastian Ramacher 1 year, 3 months ago
7 changed file(s) with 492 addition(s) and 4 deletion(s). Raw diff Collapse all Expand all
+3
-0
debian/.gitlab-ci.yml less more
0 include:
1 - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
2
+30
-1
debian/changelog less more
0 libde265 (1.0.9-1.1) unstable; urgency=medium
1
2 * Non-maintainer upload.
3 * Apply patches to mitigate asan failures:
4 reject_reference_pics_from_different_sps.patch and
5 use_sps_from_the_image.patch.
6 * Combined, this two patches fixes:
7 - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816)
8 - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238,
9 CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242,
10 CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179)
11 - CVE-2022-47655
12 * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting
13 valid video streams due to reject_reference_pics_from_different_sps.patch.
14 * Modifying past changelog entries to indicate when vulnerabilities were
15 fixed:
16 - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999
17 - In 1.0.3-1, 1 CVE, see #1029396
18 * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev
19 (Closes: #981260)
20
21 -- Tobias Frost <tobi@debian.org> Sun, 22 Jan 2023 13:19:20 +0100
22
023 libde265 (1.0.9-1) unstable; urgency=medium
124
225 * Add "Rules-Requires-Root: no".
3 * New upstream version 1.0.9
26 * New upstream version 1.0.9.
27 Bisecting shows that this version fixed this CVES:
28 - CVE-2020-21598, CVE-2020-21600, CVE-2020-21602 (Closes: #1004963)
29 - CVE-2020-21595, CVE-2020-21597, CVE-2020-21599, CVE-2020-21601,
30 CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606
31 (Closes: #1014999)
432 * Remove patches now part of upstream release.
533 * Bump "Standards-Version" to 4.6.1
634 * Add patch to provide "gl_VISIBILITY" macro.
77105
78106 [ Joachim Bauch ]
79107 * Imported Upstream version 1.0.3
108 This version fixes CVE-2020-21594. (Closes: #1029396)
80109 * Update patches for new upstream version.
81110 * Update symbols for new upstream version.
82111 * Update standards version and switch to debhelper 10.
+0
-3
debian/control less more
66 Joachim Bauch <bauch@struktur.de>
77 Build-Depends:
88 debhelper-compat (= 13),
9 libjpeg-dev,
10 libpng-dev,
119 qtbase5-dev | libqt4-dev,
1210 libsdl-dev,
1311 libswscale-dev,
1412 libx11-dev,
1513 libxext-dev,
16 libxv-dev,
1714 pkg-config
1815 Rules-Requires-Root: no
1916 Standards-Version: 4.6.1
+340
-0
debian/patches/recycle_sps_if_possible.patch less more
0 Description: Don't update sps if they are only repeated
1 Origin: https://github.com/strukturag/libde265/pull/372
2 From 51f07f132f29832e025a8b913b61cbd20257c5fc Mon Sep 17 00:00:00 2001
3 From: Tobias Frost <tobi@debian.org>
4 Date: Fri, 13 Jan 2023 12:22:45 +0100
5 Subject: [PATCH] Don't update sps if they are only repeated
6
7 This is an attempt to improve the mitigations from #365 and #366 and picks up an idea I described at #345:
8
9 > One way would be just to look at the pointers of the SPS (fast and easy, but
10 > may reject more than required), or investigate if the SPS used for the image
11 > generations are "compatible".
12
13 This changes do exactly this: It (very conservativly) checks if the old and new sps have
14 identical information -- except the reference picture set, which I believe is supposed
15 to be updated by new sps'). If they are basically identical, the old sps will be
16 used instead of the new one, (of course, reference image set is updated from the new one)
17
18 I'm using standalone operator== and helper functions to avoid changing ABI of the library;
19 if an ABI bump would be done, of course this should go to the respective classes.
20 ---
21 libde265/decctx.cc | 273 +++++++++++++++++++++++++++++++++++++++++++++
22 libde265/sps.cc | 6 +
23 2 files changed, 279 insertions(+)
24
25 diff --git a/libde265/decctx.cc b/libde265/decctx.cc
26 index 6701725f..0000b25d 100644
27 --- a/libde265/decctx.cc
28 +++ b/libde265/decctx.cc
29 @@ -545,6 +545,263 @@ de265_error decoder_context::read_vps_NAL(bitreader& reader)
30 return DE265_OK;
31 }
32
33 +// implemented as freestanding functions to avoid changing API
34 +
35 +bool operator==(const profile_data &lhs, const profile_data &rhs) {
36 + if(&lhs == &rhs) return true;
37 + if(lhs.profile_present_flag != rhs.profile_present_flag ) return false;
38 + if(lhs.profile_present_flag) {
39 + if(lhs.profile_space != rhs.profile_space ) return false;
40 + if(lhs.tier_flag != rhs.tier_flag ) return false;
41 + if(lhs.profile_idc != rhs.profile_idc ) return false;
42 +
43 + if(memcmp(lhs.profile_compatibility_flag, rhs.profile_compatibility_flag, sizeof(rhs.profile_compatibility_flag)) ) return false;
44 +
45 + if(lhs.progressive_source_flag != rhs.progressive_source_flag ) return false;
46 + if(lhs.interlaced_source_flag != rhs.interlaced_source_flag ) return false;
47 + if(lhs.non_packed_constraint_flag != rhs.non_packed_constraint_flag ) return false;
48 + if(lhs.frame_only_constraint_flag != rhs.frame_only_constraint_flag ) return false;
49 + }
50 +
51 + if(lhs.level_present_flag != rhs.level_present_flag) return false;
52 + if(lhs.level_present_flag && lhs.level_idc != rhs.level_idc ) return false;
53 +
54 + return true;
55 +}
56 +
57 +bool operator!=(const profile_data &lhs, const profile_data &rhs) {
58 + if(&lhs == &rhs) return false;
59 + return (!(lhs==rhs));
60 +}
61 +
62 +// class does not store max_sub_layers, so operator == cannot be done.
63 +bool isEqual(const profile_tier_level &lhs , const profile_tier_level &rhs, int sps_max_sub_layers ) {
64 + if(&lhs == &rhs) return true;
65 +
66 + if(lhs.general != rhs.general ) return false;
67 + for(int i = 0 ; i < sps_max_sub_layers; i++ ) {
68 + if(lhs.sub_layer[i] != rhs.sub_layer[i]) return false;
69 + }
70 + return true;
71 +}
72 +
73 +bool isEqual(const video_usability_information &lhs, const video_usability_information &rhs, const seq_parameter_set &sps) {
74 + if(&lhs == &rhs) return true;
75 +
76 + // not seen yet if(lhs.nal_hrd_parameters_present_flag != rhs.nal_hrd_parameters_present_flag ) return false;
77 +
78 + // populated by video_usability_information::read()
79 + if(lhs.aspect_ratio_info_present_flag != rhs.aspect_ratio_info_present_flag ) return false;
80 + if(lhs.aspect_ratio_info_present_flag) {
81 + if(lhs.sar_width != rhs.sar_width ) return false;
82 + if(lhs.sar_height != rhs.sar_height ) return false;
83 + }
84 +
85 + if(lhs.overscan_info_present_flag != rhs.overscan_info_present_flag ) return false;
86 + if(lhs.overscan_info_present_flag) {
87 + if(lhs.overscan_appropriate_flag != rhs.overscan_appropriate_flag ) return false;
88 + }
89 +
90 + if(lhs.video_signal_type_present_flag != rhs.video_signal_type_present_flag ) return false;
91 + if(lhs.video_signal_type_present_flag) {
92 + if(lhs.video_format != rhs.video_format ) return false;
93 + if(lhs.video_full_range_flag != rhs.video_full_range_flag) return false;
94 + if(lhs.colour_description_present_flag != rhs.colour_description_present_flag) return false;
95 + if(lhs.colour_primaries != rhs.colour_primaries ) return false;
96 + if(lhs.transfer_characteristics != rhs.transfer_characteristics ) return false;
97 + if(lhs.matrix_coeffs != rhs.matrix_coeffs ) return false;
98 + }
99 +
100 + if(lhs.chroma_loc_info_present_flag != rhs.chroma_loc_info_present_flag ) return false;
101 + if(lhs.chroma_loc_info_present_flag) {
102 + if(lhs.chroma_sample_loc_type_top_field != rhs.chroma_sample_loc_type_top_field ) return false;
103 + if(lhs.chroma_sample_loc_type_bottom_field != rhs.chroma_sample_loc_type_bottom_field ) return false;
104 + }
105 + if(lhs.neutral_chroma_indication_flag != rhs.neutral_chroma_indication_flag ) return false;
106 + if(lhs.field_seq_flag != rhs.field_seq_flag ) return false;
107 + if(lhs.frame_field_info_present_flag != rhs.frame_field_info_present_flag ) return false;
108 +
109 + if(lhs.default_display_window_flag != rhs.default_display_window_flag ) return false;
110 + if(lhs.default_display_window_flag) {
111 + if(lhs.def_disp_win_left_offset != rhs.def_disp_win_left_offset ) return false;
112 + if(lhs.def_disp_win_right_offset != rhs.def_disp_win_right_offset ) return false;
113 + if(lhs.def_disp_win_top_offset != rhs.def_disp_win_top_offset ) return false;
114 + if(lhs.def_disp_win_bottom_offset != rhs.def_disp_win_bottom_offset ) return false;
115 + }
116 +
117 + if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false;
118 + if(lhs.vui_timing_info_present_flag) {
119 + if(lhs.vui_num_units_in_tick != rhs.vui_num_units_in_tick ) return false;
120 + if(lhs.vui_time_scale != rhs.vui_time_scale ) return false;
121 + if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false;
122 + if(lhs.vui_timing_info_present_flag) {
123 + if(lhs.vui_num_ticks_poc_diff_one != rhs.vui_num_ticks_poc_diff_one ) return false;
124 + }
125 + }
126 +
127 + if(lhs.vui_hrd_parameters_present_flag != rhs.vui_hrd_parameters_present_flag ) return false;
128 +
129 +
130 + if(lhs.vui_hrd_parameters_present_flag) {
131 + // check things made by hrd_parametes
132 +
133 + if(lhs.vui_hrd_parameters_present_flag != rhs.vui_hrd_parameters_present_flag ) return false;
134 + if(lhs.vcl_hrd_parameters_present_flag != rhs.vcl_hrd_parameters_present_flag ) return false;
135 +
136 + if(lhs.nal_hrd_parameters_present_flag || lhs.vcl_hrd_parameters_present_flag) {
137 + if(lhs.sub_pic_hrd_params_present_flag != rhs.sub_pic_hrd_params_present_flag ) return false;
138 + if(lhs.sub_pic_hrd_params_present_flag) {
139 + if(lhs.tick_divisor_minus2 != rhs.tick_divisor_minus2 ) return false;
140 + if(lhs.du_cpb_removal_delay_increment_length_minus1 != rhs.du_cpb_removal_delay_increment_length_minus1 ) return false;
141 + if(lhs.sub_pic_cpb_params_in_pic_timing_sei_flag != rhs.sub_pic_cpb_params_in_pic_timing_sei_flag ) return false;
142 + if(lhs.dpb_output_delay_du_length_minus1 != rhs.dpb_output_delay_du_length_minus1 ) return false;
143 + }
144 + if(lhs.bit_rate_scale != rhs.bit_rate_scale ) return false;
145 + if(lhs.cpb_size_scale != rhs.cpb_size_scale ) return false;
146 + if(lhs.sub_pic_hrd_params_present_flag) {
147 + if(lhs.cpb_size_du_scale != rhs.cpb_size_du_scale ) return false;
148 + }
149 + if(lhs.initial_cpb_removal_delay_length_minus1 != rhs.initial_cpb_removal_delay_length_minus1 ) return false;
150 + if(lhs.au_cpb_removal_delay_length_minus1 != rhs.au_cpb_removal_delay_length_minus1 ) return false;
151 + if(lhs.dpb_output_delay_length_minus1 != rhs.dpb_output_delay_length_minus1 ) return false;
152 + }
153 +
154 + int i;
155 + unsigned int j, nalOrVcl;
156 +
157 + for (i = 0; i < sps.sps_max_sub_layers; i++) {
158 + if(lhs.fixed_pic_rate_general_flag[i] != rhs.fixed_pic_rate_general_flag[i] ) return false;
159 + if(lhs.fixed_pic_rate_general_flag[i]) {
160 + if(lhs.elemental_duration_in_tc_minus1[i] != rhs.elemental_duration_in_tc_minus1[i] ) return false;
161 + }
162 + if(lhs.low_delay_hrd_flag[i] != rhs.low_delay_hrd_flag[i] ) return false;
163 + if(lhs.cpb_cnt_minus1[i] != rhs.cpb_cnt_minus1[i] ) return false;
164 +
165 + for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++) {
166 + if (((nalOrVcl == 0) && lhs.nal_hrd_parameters_present_flag) || ((nalOrVcl == 1) && lhs.vcl_hrd_parameters_present_flag)) {
167 + for (j = 0; j <= lhs.cpb_cnt_minus1[i]; j++) {
168 + if(lhs.bit_rate_value_minus1[i][j][nalOrVcl] != rhs.bit_rate_value_minus1[i][j][nalOrVcl]) return false;
169 + if(lhs.cpb_size_value_minus1[i][j][nalOrVcl] != rhs.cpb_size_value_minus1[i][j][nalOrVcl]) return false;
170 +
171 + if (lhs.sub_pic_hrd_params_present_flag) {
172 + if(lhs.cpb_size_du_value_minus1[i][j][nalOrVcl] != rhs.cpb_size_du_value_minus1[i][j][nalOrVcl]) return false;
173 + if(lhs.bit_rate_du_value_minus1[i][j][nalOrVcl] != rhs.bit_rate_du_value_minus1[i][j][nalOrVcl]) return false;
174 + }
175 + if( lhs.cbr_flag[i][j][nalOrVcl] != rhs.cbr_flag[i][j][nalOrVcl]) return false;
176 + }
177 + }
178 + }
179 + }
180 + }
181 + return true;
182 +}
183 +
184 +bool operator==(const sps_range_extension &lhs, const sps_range_extension &rhs) {
185 + if(&lhs == &rhs) return true;
186 + if(lhs.transform_skip_rotation_enabled_flag != rhs.transform_skip_rotation_enabled_flag ) return false;
187 + if(lhs.transform_skip_context_enabled_flag != rhs.transform_skip_context_enabled_flag ) return false;
188 + if(lhs.implicit_rdpcm_enabled_flag != rhs.implicit_rdpcm_enabled_flag ) return false;
189 + if(lhs.explicit_rdpcm_enabled_flag != rhs.explicit_rdpcm_enabled_flag ) return false;
190 + if(lhs.extended_precision_processing_flag != rhs.extended_precision_processing_flag ) return false;
191 + if(lhs.intra_smoothing_disabled_flag != rhs.intra_smoothing_disabled_flag ) return false;
192 + if(lhs.high_precision_offsets_enabled_flag != rhs.high_precision_offsets_enabled_flag ) return false;
193 + if(lhs.persistent_rice_adaptation_enabled_flag != rhs.persistent_rice_adaptation_enabled_flag ) return false;
194 + if(lhs.cabac_bypass_alignment_enabled_flag != rhs.cabac_bypass_alignment_enabled_flag ) return false;
195 + return true;
196 +}
197 +
198 +bool operator!=(const sps_range_extension &lhs, const sps_range_extension &rhs) {
199 + if(&lhs == &rhs) return false;
200 + return !(lhs==rhs);
201 +}
202 +
203 +
204 +bool operator==(const seq_parameter_set &lhs, const seq_parameter_set &rhs) {
205 +
206 + if(&lhs== &rhs) return true;
207 +
208 + if(lhs.sps_read != rhs.sps_read) return false;
209 +
210 + if(lhs.video_parameter_set_id != rhs.video_parameter_set_id) return false;
211 + if(lhs.sps_max_sub_layers != rhs.sps_max_sub_layers) return false;
212 + if(lhs.sps_temporal_id_nesting_flag != rhs.sps_temporal_id_nesting_flag) return false;
213 +
214 + if(!isEqual(lhs.profile_tier_level_, rhs.profile_tier_level_, lhs.sps_max_sub_layers)) return false;
215 +
216 + if(lhs.seq_parameter_set_id != rhs.seq_parameter_set_id) return false;
217 + if(lhs.chroma_format_idc != rhs.chroma_format_idc) return false;
218 +
219 + if(lhs.separate_colour_plane_flag != rhs.separate_colour_plane_flag) return false;
220 + if(lhs.pic_width_in_luma_samples != rhs.pic_width_in_luma_samples) return false;
221 + if(lhs.pic_height_in_luma_samples != rhs.pic_height_in_luma_samples) return false;
222 + if(lhs.conformance_window_flag != rhs.conformance_window_flag) return false;
223 +
224 + if(lhs.conformance_window_flag) {
225 + if(lhs.conf_win_left_offset != rhs.conf_win_left_offset) return false;
226 + if(lhs.conf_win_right_offset != rhs.conf_win_right_offset) return false;
227 + if(lhs.conf_win_top_offset != rhs.conf_win_top_offset) return false;
228 + if(lhs.conf_win_bottom_offset != rhs.conf_win_bottom_offset) return false;
229 + }
230 +
231 + if(lhs.bit_depth_luma != rhs.bit_depth_luma) return false;
232 + if(lhs.bit_depth_chroma != rhs.bit_depth_chroma) return false;
233 +
234 + if(lhs.log2_max_pic_order_cnt_lsb != rhs.log2_max_pic_order_cnt_lsb) return false;
235 + if(lhs.sps_sub_layer_ordering_info_present_flag != rhs.sps_sub_layer_ordering_info_present_flag) return false;
236 +
237 + if(memcmp(lhs.sps_max_dec_pic_buffering, rhs.sps_max_dec_pic_buffering, sizeof(rhs.sps_max_dec_pic_buffering))) return false;
238 + if(memcmp(lhs.sps_max_num_reorder_pics, rhs.sps_max_num_reorder_pics, sizeof(rhs.sps_max_num_reorder_pics))) return false;
239 + if(memcmp(lhs.sps_max_latency_increase_plus1, rhs.sps_max_latency_increase_plus1, sizeof(rhs.sps_max_latency_increase_plus1))) return false;
240 +
241 + if(lhs.log2_min_luma_coding_block_size != rhs.log2_min_luma_coding_block_size) return false;
242 + if(lhs.log2_diff_max_min_luma_coding_block_size != rhs.log2_diff_max_min_luma_coding_block_size) return false;
243 + if(lhs.log2_min_transform_block_size != rhs.log2_min_transform_block_size) return false;
244 + if(lhs.log2_diff_max_min_transform_block_size != rhs.log2_diff_max_min_transform_block_size) return false;
245 + if(lhs.max_transform_hierarchy_depth_inter != rhs.max_transform_hierarchy_depth_inter) return false;
246 + if(lhs.max_transform_hierarchy_depth_intra != rhs.max_transform_hierarchy_depth_intra) return false;
247 +
248 + if(lhs.scaling_list_enable_flag != rhs.scaling_list_enable_flag) return false;
249 + if(lhs.scaling_list_enable_flag) {
250 + if(lhs.sps_scaling_list_data_present_flag != rhs.sps_scaling_list_data_present_flag) return false;
251 + if(lhs.sps_scaling_list_data_present_flag) {
252 + // compare only needed if present, otherwise it is the default scaling list.
253 + if(memcmp(&lhs.scaling_list, &rhs.scaling_list, sizeof(rhs.scaling_list))) return false;
254 + }
255 + }
256 +
257 + if(lhs.amp_enabled_flag != rhs.amp_enabled_flag) return false;
258 + if(lhs.sample_adaptive_offset_enabled_flag != rhs.sample_adaptive_offset_enabled_flag) return false;
259 + if(lhs.pcm_enabled_flag != rhs.pcm_enabled_flag) return false;
260 +
261 + if(lhs.pcm_enabled_flag) {
262 + if(lhs.pcm_sample_bit_depth_luma != rhs.pcm_sample_bit_depth_luma) return false;
263 + if(lhs.pcm_sample_bit_depth_chroma != rhs.pcm_sample_bit_depth_chroma) return false;
264 + if(lhs.log2_min_pcm_luma_coding_block_size != rhs.log2_min_pcm_luma_coding_block_size) return false;
265 + if(lhs.log2_diff_max_min_pcm_luma_coding_block_size != rhs.log2_diff_max_min_pcm_luma_coding_block_size) return false;
266 + if(lhs.pcm_loop_filter_disable_flag != rhs.pcm_loop_filter_disable_flag) return false;
267 + }
268 +
269 + // (longterm) reference pics likely to change with a new sps, so ignored here.
270 +
271 + if(lhs.sps_temporal_mvp_enabled_flag != rhs.sps_temporal_mvp_enabled_flag) return false;
272 + if(lhs.strong_intra_smoothing_enable_flag != rhs.strong_intra_smoothing_enable_flag) return false;
273 +
274 + if(lhs.vui_parameters_present_flag != rhs.vui_parameters_present_flag) return false;
275 + if(lhs.vui_parameters_present_flag) {
276 + if(!isEqual(lhs.vui, rhs.vui, lhs )) return false;
277 + }
278 +
279 + if(lhs.sps_extension_present_flag != rhs.sps_extension_present_flag ) return false;
280 + if(lhs.sps_extension_present_flag) {
281 + if(lhs.sps_range_extension_flag != rhs.sps_range_extension_flag ) return false;
282 + if(lhs.sps_multilayer_extension_flag != rhs.sps_multilayer_extension_flag ) return false;
283 + if(lhs.sps_extension_6bits != rhs.sps_extension_6bits ) return false;
284 + if(lhs.range_extension != rhs.range_extension) return false;
285 + }
286 +
287 + return true;
288 +}
289 +
290 de265_error decoder_context::read_sps_NAL(bitreader& reader)
291 {
292 logdebug(LogHeaders,"----> read SPS\n");
293 @@ -560,6 +817,22 @@ de265_error decoder_context::read_sps_NAL(bitreader& reader)
294 new_sps->dump(param_sps_headers_fd);
295 }
296
297 + if ( sps[ new_sps->seq_parameter_set_id ] ) {
298 + auto old_sps = sps[ new_sps->seq_parameter_set_id ].get();
299 + if ( *old_sps == *new_sps ) {
300 + // printf(" **** keeping sps *****\n");
301 + // the new sps is identical to the old one, so no replacing needed.
302 + // however, reference pics and long-term reference pics might need updating.
303 + old_sps->ref_pic_sets = new_sps->ref_pic_sets;
304 + old_sps->long_term_ref_pics_present_flag = new_sps->long_term_ref_pics_present_flag;
305 + memcpy(old_sps->lt_ref_pic_poc_lsb_sps, new_sps->lt_ref_pic_poc_lsb_sps, sizeof(old_sps->lt_ref_pic_poc_lsb_sps));
306 + memcpy(old_sps->used_by_curr_pic_lt_sps_flag, new_sps->used_by_curr_pic_lt_sps_flag, sizeof(old_sps->used_by_curr_pic_lt_sps_flag));
307 + return DE265_OK;
308 + }
309 + //printf(" **** replacing sps *****\n");
310 +
311 + }
312 +
313 sps[ new_sps->seq_parameter_set_id ] = new_sps;
314
315 // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to
316 diff --git a/libde265/sps.cc b/libde265/sps.cc
317 index f1c28255..31ce9470 100644
318 --- a/libde265/sps.cc
319 +++ b/libde265/sps.cc
320 @@ -287,6 +287,11 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
321 int firstLayer = (sps_sub_layer_ordering_info_present_flag ?
322 0 : sps_max_sub_layers-1 );
323
324 + // zero out so that comparing is easier.
325 + memset(sps_max_dec_pic_buffering, 0 , sizeof(sps_max_dec_pic_buffering));
326 + memset(sps_max_num_reorder_pics, 0 , sizeof(sps_max_num_reorder_pics));
327 + memset(sps_max_latency_increase_plus1, 0 , sizeof(sps_max_latency_increase_plus1));
328 +
329 for (int i=firstLayer ; i <= sps_max_sub_layers-1; i++ ) {
330
331 // sps_max_dec_pic_buffering[i]
332 @@ -347,6 +352,7 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
333 if (sps_scaling_list_data_present_flag) {
334
335 de265_error err;
336 + memset(&scaling_list, 0 , sizeof(scaling_list)); // zero out, so that memcmp will do it to check for equality.
337 if ((err=read_scaling_list(br,this, &scaling_list, false)) != DE265_OK) {
338 return err;
339 }
+54
-0
debian/patches/reject_reference_pics_from_different_sps.patch less more
0 Description: Try to mitigate asan failures by rejecting reference pictures not created with the same sps.
1 The reference images might have different parameters (size, pixel depth, etc) and so different memory allocations,
2 leading to out of bound memory reads and writes.
3 Origin: https://github.com/strukturag/libde265/pull/365
4 Comment: Analysis of issue https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079
5 From 97dd15303085eae2695a511717bf3239e209df96 Mon Sep 17 00:00:00 2001
6 From: Tobias Frost <tobi@debian.org>
7 Date: Mon, 12 Dec 2022 14:03:12 +0100
8 Subject: [PATCH] Try to mitigate asan failures.
9 MIME-Version: 1.0
10 Content-Type: text/plain; charset=UTF-8
11 Content-Transfer-Encoding: 8bit
12
13 See #345 for my analysis and details…
14
15 (This PR is just for discussion.)
16
17 (The CVE references are obtained from the Debian security tracker,
18 which links the issues.)
19
20 This makes the following POCs stop failing:
21
22 - poc3 (#337)
23 - poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2)
24 - poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1)
25 - poc11-1, poc11-2 (#345) CVE-2022-43249
26 - poc12 (#346)
27 - poc13 (#347) CVE-2022-43252
28 - poc16 (#350)
29 ---
30 libde265/motion.cc | 10 ++++++++++
31 1 file changed, 10 insertions(+)
32
33 diff --git a/libde265/motion.cc b/libde265/motion.cc
34 index 8bbfbde0..1d20bcd3 100644
35 --- a/libde265/motion.cc
36 +++ b/libde265/motion.cc
37 @@ -348,6 +348,16 @@ void generate_inter_prediction_samples(base_context* ctx,
38
39 logtrace(LogMotion, "refIdx: %d -> dpb[%d]\n", vi->refIdx[l], shdr->RefPicList[l][vi->refIdx[l]]);
40
41 + if (refPic) {
42 + auto nonconst_refPic = const_cast<de265_image*>(refPic); /* shared_ptr.get() chokes on const.*/
43 + auto refsps = nonconst_refPic->get_shared_sps().get();
44 + auto imgsps = img->get_shared_sps().get();
45 + if(refsps != imgsps) {
46 + // rejecting reference image created with different sps.
47 + refPic = nullptr;
48 + }
49 + }
50 +
51 if (!refPic || refPic->PicState == UnusedForReference) {
52 img->integrity = INTEGRITY_DECODING_ERRORS;
53 ctx->add_warning(DE265_WARNING_NONEXISTING_REFERENCE_PICTURE_ACCESSED, false);
+3
-0
debian/patches/series less more
00 only_export_decoder_api.patch
11 disable_tools.patch
22 m4-visibility.patch
3 reject_reference_pics_from_different_sps.patch
4 use_sps_from_the_image.patch
5 recycle_sps_if_possible.patch
+62
-0
debian/patches/use_sps_from_the_image.patch less more
0 Description: Use sps of the image, not the sps of the pic parameter set (pps)
1 When decoding a slice, all decoding functions are using the sps of the target
2 image to determine the image properties, which are in the seqquence parameter
3 set) -- execpt generate_inter_prediction_samples(), which uses the sps from the
4 pps, which might have different properties and trick the decode to out-of-bound
5 memory accesses, leading to crashes.
6 Origin: https://github.com/strukturag/libde265/pull/366
7 From 36391cda3d4e4fb3269a2ce310e6e0f634729f0b Mon Sep 17 00:00:00 2001
8 From: Tobias Frost <tobi@debian.org>
9 Date: Mon, 12 Dec 2022 14:33:40 +0100
10 Subject: [PATCH] Use the sps from the image
11
12 (as e.g mc_chroma is using the sps to determine
13 picture properties, like pic_width_in_luma_samples
14 and pic_height_in_luma_samples, I *think* this is
15 more correct.
16
17 This PR is for discussion. (See #345.)
18 It makes the failures go away, but that does not mean it's correct :)
19
20 The following poc will be stop failing if (only) this
21 patch is applied:
22
23 - poc2 #336 - CVE-2022-43238
24 - poc4 #338 - CVE-2022-43241
25 - poc6-1, poc6-2 #340 - CVE-2022-43242
26 - poc7-1, poc7-2 #341 - CVE-2022-43239
27 - poc8-1 #342 - CVE-2022-43244
28 - poc9-3 #343 - CVE-2022-43236
29 - poc10-2, poc10-3 #344 - CVE-2022-43237
30 - poc16 #350
31 - poc19 #353
32
33 The following are still failing if only this patch is
34 applied, but they stop failing if #365 is applied as well, but will
35 still fail with ONLY #365 applied (IOW, both are needed)
36
37 - poc1 #335 - CVE-2022-43240
38 - poc3 #337 - CVE-2022-43235
39 - poc5 #339 - CVE-2022-43423
40 - poc9-1,poc9-2, poc9-4 #343 - CVE-2022-43236
41 - poc14 #348 - CVE-2022-43253
42 - poc15 #349 - CVE-2022-43248
43 - poc17-1, poc17-2 #351
44 - poc18 #352 - CVE-2022-43245
45 ---
46 libde265/motion.cc | 2 +-
47 1 file changed, 1 insertion(+), 1 deletion(-)
48
49 diff --git a/libde265/motion.cc b/libde265/motion.cc
50 index 8bbfbde0..89d5a167 100644
51 --- a/libde265/motion.cc
52 +++ b/libde265/motion.cc
53 @@ -290,7 +290,7 @@ void generate_inter_prediction_samples(base_context* ctx,
54 int stride[3];
55
56 const pic_parameter_set* pps = shdr->pps.get();
57 - const seq_parameter_set* sps = pps->sps.get();
58 + const seq_parameter_set* sps = img->get_shared_sps().get();
59
60 const int SubWidthC = sps->SubWidthC;
61 const int SubHeightC = sps->SubHeightC;