Bug#1014977: libde265: CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36408 CVE-2021-35452
tags -1 + pending
thanks
Hey Moritz,
On Fri, Jul 15, 2022 at 05:48:41PM +0200, Moritz Mühlenhoff wrote:
> The following vulnerabilities were published for libde265.
[...]
Thanks for clearly linking to the upstream commits, that was very
helpful! Compared to the older bug these were quite straightforward to
apply. The CVEs referenced by #1004963 are still open in upstream's
bugtracker.
Attached is the diff of the NMU I just uploaded to DELAYED/2-days.
Kind regards and thanks
Philipp Kern
diff -Nru libde265-1.0.8/debian/changelog libde265-1.0.8/debian/changelog
--- libde265-1.0.8/debian/changelog 2020-12-16 16:32:29.000000000 +0100
+++ libde265-1.0.8/debian/changelog 2022-10-16 15:26:20.000000000 +0200
@@ -1,3 +1,17 @@
+libde265 (1.0.8-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Import upstream fixes for CVE-tracked vulnerabilities
+ (Closes: #1014977)
+ - CVE-2022-1253
+ - CVE-2021-36411
+ - CVE-2021-36410
+ - CVE-2021-36409
+ - CVE-2021-36408
+ - CVE-2021-35452
+
+ -- Philipp Kern <pkern@debian.org> Sun, 16 Oct 2022 15:26:20 +0200
+
libde265 (1.0.8-1) unstable; urgency=medium
* Update to debhelper compat level 13 and add debian/not-installed
diff -Nru libde265-1.0.8/debian/patches/0001-CVE-2022-1253.patch libde265-1.0.8/debian/patches/0001-CVE-2022-1253.patch
--- libde265-1.0.8/debian/patches/0001-CVE-2022-1253.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.8/debian/patches/0001-CVE-2022-1253.patch 2022-10-16 15:19:58.000000000 +0200
@@ -0,0 +1,50 @@
+From 8e89fe0e175d2870c39486fdd09250b230ec10b8 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 5 Apr 2022 09:52:57 +0200
+Subject: [PATCH] error on out-of-range cpb_cnt_minus1 (oss-fuzz issue 27590)
+
+---
+ libde265/sps.cc | 5 ++++-
+ libde265/vui.cc | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+Index: libde265-1.0.8/libde265/sps.cc
+===================================================================
+--- libde265-1.0.8.orig/libde265/sps.cc
++++ libde265-1.0.8/libde265/sps.cc
+@@ -425,7 +425,10 @@ de265_error seq_parameter_set::read(erro
+
+ vui_parameters_present_flag = get_bits(br,1);
+ if (vui_parameters_present_flag) {
+- vui.read(errqueue, br, this);
++ de265_error err = vui.read(errqueue, br, this);
++ if (err) {
++ return err;
++ }
+ }
+
+
+Index: libde265-1.0.8/libde265/vui.cc
+===================================================================
+--- libde265-1.0.8.orig/libde265/vui.cc
++++ libde265-1.0.8/libde265/vui.cc
+@@ -201,6 +201,9 @@ de265_error video_usability_information:
+ if (!low_delay_hrd_flag[i])
+ {
+ READ_VLC_OFFSET(cpb_cnt_minus1[i], uvlc, 0);
++ if (cpb_cnt_minus1[i] > 31) {
++ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
++ }
+ }
+
+ for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++)
+@@ -361,6 +364,9 @@ de265_error video_usability_information:
+ if (vui_hrd_parameters_present_flag) {
+ de265_error err;
+ err = hrd_parameters(errqueue, br, sps);
++ if (err) {
++ return err;
++ }
+ }
+ }
+
diff -Nru libde265-1.0.8/debian/patches/0001-fill-32x32-scaling-matrices.patch libde265-1.0.8/debian/patches/0001-fill-32x32-scaling-matrices.patch
--- libde265-1.0.8/debian/patches/0001-fill-32x32-scaling-matrices.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.8/debian/patches/0001-fill-32x32-scaling-matrices.patch 2022-10-16 15:25:49.000000000 +0200
@@ -0,0 +1,85 @@
+From 7d5aeb5f11531de33f5b7ae0e768ffc50da4facb Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 23 Feb 2021 16:29:01 +0100
+Subject: [PATCH] fill 32x32 scaling matrices
+
+---
+ libde265/sps.cc | 25 +++++++++++++++++++++++--
+ libde265/sps.h | 2 +-
+ libde265/transform.cc | 4 +---
+ 3 files changed, 25 insertions(+), 6 deletions(-)
+
+Index: libde265-1.0.8/libde265/sps.cc
+===================================================================
+--- libde265-1.0.8.orig/libde265/sps.cc
++++ libde265-1.0.8/libde265/sps.cc
+@@ -873,10 +873,10 @@ de265_error read_scaling_list(bitreader*
+ int dc_coeff[4][6];
+
+ for (int sizeId=0;sizeId<4;sizeId++) {
+- int n = ((sizeId==3) ? 2 : 6);
++ //int n = ((sizeId==3) ? 2 : 6);
+ uint8_t scaling_list[6][32*32];
+
+- for (int matrixId=0;matrixId<n;matrixId++) {
++ for (int matrixId=0 ; matrixId<6 ; matrixId += (sizeId==3 ? 3 : 1)) {
+ uint8_t* curr_scaling_list = scaling_list[matrixId];
+ int scaling_list_dc_coef;
+
+@@ -982,6 +982,27 @@ de265_error read_scaling_list(bitreader*
+ }
+ }
+
++
++ // --- fill 32x32 matrices for chroma
++
++ const position* scan = get_scan_order(3, 0 /* diag */);
++
++ for (int matrixId=0;matrixId<6;matrixId++)
++ if (matrixId!=0 && matrixId!=3) {
++ for (int i=0;i<64;i++) {
++ int x = scan[i].x;
++ int y = scan[i].y;
++ int v = sclist->ScalingFactor_Size1[matrixId][y][x];
++
++ for (int dy=0;dy<4;dy++)
++ for (int dx=0;dx<4;dx++) {
++ sclist->ScalingFactor_Size3[matrixId][4*y+dy][4*x+dx] = v;
++ }
++ }
++
++ sclist->ScalingFactor_Size3[matrixId][0][0] = sclist->ScalingFactor_Size1[matrixId][0][0];
++ }
++
+ return DE265_OK;
+ }
+
+Index: libde265-1.0.8/libde265/sps.h
+===================================================================
+--- libde265-1.0.8.orig/libde265/sps.h
++++ libde265-1.0.8/libde265/sps.h
+@@ -54,7 +54,7 @@ typedef struct scaling_list_data {
+ uint8_t ScalingFactor_Size0[6][4][4];
+ uint8_t ScalingFactor_Size1[6][8][8];
+ uint8_t ScalingFactor_Size2[6][16][16];
+- uint8_t ScalingFactor_Size3[2][32][32];
++ uint8_t ScalingFactor_Size3[6][32][32];
+ } scaling_list_data;
+
+
+Index: libde265-1.0.8/libde265/transform.cc
+===================================================================
+--- libde265-1.0.8.orig/libde265/transform.cc
++++ libde265-1.0.8/libde265/transform.cc
+@@ -504,10 +504,8 @@ void scale_coefficients_internal(thread_
+
+ for (int i=0;i<tctx->nCoeff[cIdx];i++) {
+ int pos = tctx->coeffPos[cIdx][i];
+- int x = pos%nT;
+- int y = pos/nT;
+
+- const int m_x_y = sclist[x+y*nT];
++ const int m_x_y = sclist[pos];
+ const int fact = m_x_y * levelScale[qP%6] << (qP/6);
+
+ int64_t currCoeff = tctx->coeffList[cIdx][i];
diff -Nru libde265-1.0.8/debian/patches/0002-CVE-2021-36411.patch libde265-1.0.8/debian/patches/0002-CVE-2021-36411.patch
--- libde265-1.0.8/debian/patches/0002-CVE-2021-36411.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.8/debian/patches/0002-CVE-2021-36411.patch 2022-10-16 15:17:52.000000000 +0200
@@ -0,0 +1,168 @@
+From 45904e5667c5bf59c67fcdc586dfba110832894c Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 5 Apr 2022 20:00:20 +0200
+Subject: [PATCH] fix reading invalid images where shdr references are NULL in
+ part of the image (#302)
+
+---
+ libde265/deblock.cc | 127 +++++++++++++++++++++++---------------------
+ libde265/sao.cc | 5 +-
+ 2 files changed, 70 insertions(+), 62 deletions(-)
+
+diff --git a/libde265/deblock.cc b/libde265/deblock.cc
+index 62428832..60fd2ca1 100644
+--- a/libde265/deblock.cc
++++ b/libde265/deblock.cc
+@@ -295,67 +295,72 @@ void derive_boundaryStrength(de265_image* img, bool vertical, int yStart,int yEn
+ slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp);
+ slice_segment_header* shdrQ = img->get_SliceHeader(xDi ,yDi);
+
+- int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
+- int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
+- int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
+- int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
+-
+- bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
+- (refPicP0==refPicQ1 && refPicP1==refPicQ0));
+-
+- if (!samePics) {
+- bS = 1;
+- }
+- else {
+- MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; }
+- MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; }
+- MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; }
+- MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; }
+-
+- int numMV_P = mviP.predFlag[0] + mviP.predFlag[1];
+- int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1];
+-
+- if (numMV_P!=numMV_Q) {
+- img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false);
+- img->integrity = INTEGRITY_DECODING_ERRORS;
+- }
+-
+- // two different reference pictures or only one reference picture
+- if (refPicP0 != refPicP1) {
+-
+- if (refPicP0 == refPicQ0) {
+- if (abs_value(mvP0.x-mvQ0.x) >= 4 ||
+- abs_value(mvP0.y-mvQ0.y) >= 4 ||
+- abs_value(mvP1.x-mvQ1.x) >= 4 ||
+- abs_value(mvP1.y-mvQ1.y) >= 4) {
+- bS = 1;
+- }
+- }
+- else {
+- if (abs_value(mvP0.x-mvQ1.x) >= 4 ||
+- abs_value(mvP0.y-mvQ1.y) >= 4 ||
+- abs_value(mvP1.x-mvQ0.x) >= 4 ||
+- abs_value(mvP1.y-mvQ0.y) >= 4) {
+- bS = 1;
+- }
+- }
+- }
+- else {
+- assert(refPicQ0==refPicQ1);
+-
+- if ((abs_value(mvP0.x-mvQ0.x) >= 4 ||
+- abs_value(mvP0.y-mvQ0.y) >= 4 ||
+- abs_value(mvP1.x-mvQ1.x) >= 4 ||
+- abs_value(mvP1.y-mvQ1.y) >= 4)
+- &&
+- (abs_value(mvP0.x-mvQ1.x) >= 4 ||
+- abs_value(mvP0.y-mvQ1.y) >= 4 ||
+- abs_value(mvP1.x-mvQ0.x) >= 4 ||
+- abs_value(mvP1.y-mvQ0.y) >= 4)) {
+- bS = 1;
+- }
+- }
+- }
++ if (shdrP && shdrQ) {
++ int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
++ int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
++ int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
++ int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
++
++ bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
++ (refPicP0==refPicQ1 && refPicP1==refPicQ0));
++
++ if (!samePics) {
++ bS = 1;
++ }
++ else {
++ MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; }
++ MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; }
++ MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; }
++ MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; }
++
++ int numMV_P = mviP.predFlag[0] + mviP.predFlag[1];
++ int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1];
++
++ if (numMV_P!=numMV_Q) {
++ img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false);
++ img->integrity = INTEGRITY_DECODING_ERRORS;
++ }
++
++ // two different reference pictures or only one reference picture
++ if (refPicP0 != refPicP1) {
++
++ if (refPicP0 == refPicQ0) {
++ if (abs_value(mvP0.x-mvQ0.x) >= 4 ||
++ abs_value(mvP0.y-mvQ0.y) >= 4 ||
++ abs_value(mvP1.x-mvQ1.x) >= 4 ||
++ abs_value(mvP1.y-mvQ1.y) >= 4) {
++ bS = 1;
++ }
++ }
++ else {
++ if (abs_value(mvP0.x-mvQ1.x) >= 4 ||
++ abs_value(mvP0.y-mvQ1.y) >= 4 ||
++ abs_value(mvP1.x-mvQ0.x) >= 4 ||
++ abs_value(mvP1.y-mvQ0.y) >= 4) {
++ bS = 1;
++ }
++ }
++ }
++ else {
++ assert(refPicQ0==refPicQ1);
++
++ if ((abs_value(mvP0.x-mvQ0.x) >= 4 ||
++ abs_value(mvP0.y-mvQ0.y) >= 4 ||
++ abs_value(mvP1.x-mvQ1.x) >= 4 ||
++ abs_value(mvP1.y-mvQ1.y) >= 4)
++ &&
++ (abs_value(mvP0.x-mvQ1.x) >= 4 ||
++ abs_value(mvP0.y-mvQ1.y) >= 4 ||
++ abs_value(mvP1.x-mvQ0.x) >= 4 ||
++ abs_value(mvP1.y-mvQ0.y) >= 4)) {
++ bS = 1;
++ }
++ }
++ }
++ }
++ else {
++ bS = 0; // if shdrP==NULL or shdrQ==NULL
++ }
+
+ /*
+ printf("unimplemented deblocking code for CU at %d;%d\n",xDi,yDi);
+diff --git a/libde265/sao.cc b/libde265/sao.cc
+index f93fc02a..ed8676ea 100644
+--- a/libde265/sao.cc
++++ b/libde265/sao.cc
+@@ -353,7 +353,10 @@ void apply_sample_adaptive_offset_sequential(de265_image* img)
+ for (int xCtb=0; xCtb<sps.PicWidthInCtbsY; xCtb++)
+ {
+ const slice_segment_header* shdr = img->get_SliceHeaderCtb(xCtb,yCtb);
+- if (shdr==NULL) { return; }
++ if (shdr==NULL) {
++ delete[] inputCopy;
++ return;
++ }
+
+ if (cIdx==0 && shdr->slice_sao_luma_flag) {
+ apply_sao(img, xCtb,yCtb, shdr, 0, 1<<sps.Log2CtbSizeY, 1<<sps.Log2CtbSizeY,
+--
+2.34.1
+
diff -Nru libde265-1.0.8/debian/patches/0003-CVE-2021-36410.patch libde265-1.0.8/debian/patches/0003-CVE-2021-36410.patch
--- libde265-1.0.8/debian/patches/0003-CVE-2021-36410.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.8/debian/patches/0003-CVE-2021-36410.patch 2022-10-16 15:18:12.000000000 +0200
@@ -0,0 +1,25 @@
+From 697aa4f7c774abd6374596e6707a6f4f54265355 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 5 Apr 2022 19:27:04 +0200
+Subject: [PATCH] fix MC with HDR chroma, but SDR luma (#301)
+
+---
+ libde265/motion.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libde265/motion.cc b/libde265/motion.cc
+index deae2400..8bbfbde0 100644
+--- a/libde265/motion.cc
++++ b/libde265/motion.cc
+@@ -376,7 +376,7 @@ void generate_inter_prediction_samples(base_context* ctx,
+ refPic->get_luma_stride(), nPbW,nPbH, bit_depth_L);
+ }
+
+- if (img->high_bit_depth(0)) {
++ if (img->high_bit_depth(1)) {
+ mc_chroma(ctx, sps, vi->mv[l].x, vi->mv[l].y, xP,yP,
+ predSamplesC[0][l],nCS, (const uint16_t*)refPic->get_image_plane(1),
+ refPic->get_chroma_stride(), nPbW/SubWidthC,nPbH/SubHeightC, bit_depth_C);
+--
+2.34.1
+
diff -Nru libde265-1.0.8/debian/patches/0004-CVE-2021-36409.patch libde265-1.0.8/debian/patches/0004-CVE-2021-36409.patch
--- libde265-1.0.8/debian/patches/0004-CVE-2021-36409.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.8/debian/patches/0004-CVE-2021-36409.patch 2022-10-16 15:25:56.000000000 +0200
@@ -0,0 +1,58 @@
+From 64d591a6c70737604ca3f5791736fc462cbe8a3c Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 5 Apr 2022 17:53:43 +0200
+Subject: [PATCH] fix assertion when reading invalid scaling_list (#300)
+
+---
+ libde265/sps.cc | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+Index: libde265-1.0.8/libde265/sps.cc
+===================================================================
+--- libde265-1.0.8.orig/libde265/sps.cc
++++ libde265-1.0.8/libde265/sps.cc
+@@ -879,19 +879,23 @@ de265_error read_scaling_list(bitreader*
+ //int n = ((sizeId==3) ? 2 : 6);
+ uint8_t scaling_list[6][32*32];
+
++ // Note: we use a different matrixId for the second matrix of size 3 (we use '3' instead of '1').
+ for (int matrixId=0 ; matrixId<6 ; matrixId += (sizeId==3 ? 3 : 1)) {
+ uint8_t* curr_scaling_list = scaling_list[matrixId];
+ int scaling_list_dc_coef;
+
+- int canonicalMatrixId = matrixId;
+- if (sizeId==3 && matrixId==1) { canonicalMatrixId=3; }
+-
+
+ //printf("----- matrix %d\n",matrixId);
+
+ char scaling_list_pred_mode_flag = get_bits(br,1);
+ if (!scaling_list_pred_mode_flag) {
+ int scaling_list_pred_matrix_id_delta = get_uvlc(br);
++
++ if (sizeId==3) {
++ // adapt to our changed matrixId for size 3
++ scaling_list_pred_matrix_id_delta *= 3;
++ }
++
+ if (scaling_list_pred_matrix_id_delta == UVLC_ERROR ||
+ scaling_list_pred_matrix_id_delta > matrixId) {
+ return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
+@@ -907,15 +911,14 @@ de265_error read_scaling_list(bitreader*
+ memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
+ }
+ else {
+- if (canonicalMatrixId<3)
++ if (matrixId<3)
+ { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
+ else
+ { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
+ }
+ }
+ else {
+- // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
+- if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
++ if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==3); }
+
+ int mID = matrixId - scaling_list_pred_matrix_id_delta;
+
diff -Nru libde265-1.0.8/debian/patches/0005-CVE-2021-36408.patch libde265-1.0.8/debian/patches/0005-CVE-2021-36408.patch
--- libde265-1.0.8/debian/patches/0005-CVE-2021-36408.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.8/debian/patches/0005-CVE-2021-36408.patch 2022-10-16 15:19:00.000000000 +0200
@@ -0,0 +1,33 @@
+From f538254e4658ef5ea4e233c2185dcbfd165e8911 Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 5 Apr 2022 18:41:28 +0200
+Subject: [PATCH] fix streams where SPS image size changes without refreshing
+ PPS (#299)
+
+---
+ libde265/decctx.cc | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/libde265/decctx.cc b/libde265/decctx.cc
+index edebb713..6701725f 100644
+--- a/libde265/decctx.cc
++++ b/libde265/decctx.cc
+@@ -562,6 +562,15 @@ de265_error decoder_context::read_sps_NAL(bitreader& reader)
+
+ sps[ new_sps->seq_parameter_set_id ] = new_sps;
+
++ // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to
++ // get the SPS and PPS parameters (e.g. image size) out of sync.
++
++ for (auto& p : pps) {
++ if (p && p->seq_parameter_set_id == new_sps->seq_parameter_set_id) {
++ p = nullptr;
++ }
++ }
++
+ return DE265_OK;
+ }
+
+--
+2.34.1
+
diff -Nru libde265-1.0.8/debian/patches/0006-CVE-2021-35452.patch libde265-1.0.8/debian/patches/0006-CVE-2021-35452.patch
--- libde265-1.0.8/debian/patches/0006-CVE-2021-35452.patch 1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.8/debian/patches/0006-CVE-2021-35452.patch 2022-10-16 15:19:19.000000000 +0200
@@ -0,0 +1,25 @@
+From e83f3798dd904aa579425c53020c67e03735138d Mon Sep 17 00:00:00 2001
+From: Dirk Farin <dirk.farin@gmail.com>
+Date: Tue, 5 Apr 2022 19:35:46 +0200
+Subject: [PATCH] fix check for valid PPS idx (#298)
+
+---
+ libde265/slice.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libde265/slice.cc b/libde265/slice.cc
+index cca4d332..aacde0ce 100644
+--- a/libde265/slice.cc
++++ b/libde265/slice.cc
+@@ -373,7 +373,7 @@ de265_error slice_segment_header::read(bitreader* br, decoder_context* ctx,
+ }
+
+ slice_pic_parameter_set_id = get_uvlc(br);
+- if (slice_pic_parameter_set_id > DE265_MAX_PPS_SETS ||
++ if (slice_pic_parameter_set_id >= DE265_MAX_PPS_SETS ||
+ slice_pic_parameter_set_id == UVLC_ERROR) {
+ ctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false);
+ return DE265_OK;
+--
+2.34.1
+
diff -Nru libde265-1.0.8/debian/patches/series libde265-1.0.8/debian/patches/series
--- libde265-1.0.8/debian/patches/series 2020-12-16 16:32:29.000000000 +0100
+++ libde265-1.0.8/debian/patches/series 2022-10-16 15:25:41.000000000 +0200
@@ -1,2 +1,9 @@
only_export_decoder_api.patch
disable_tools.patch
+0001-fill-32x32-scaling-matrices.patch
+0001-CVE-2022-1253.patch
+0002-CVE-2021-36411.patch
+0003-CVE-2021-36410.patch
+0004-CVE-2021-36409.patch
+0005-CVE-2021-36408.patch
+0006-CVE-2021-35452.patch
Reply to: