diff -Nru libde265-1.0.4/debian/changelog libde265-1.0.4/debian/changelog --- libde265-1.0.4/debian/changelog 2024-01-26 19:57:57.000000000 +0000 +++ libde265-1.0.4/debian/changelog 2024-02-06 15:51:20.000000000 +0000 @@ -1,3 +1,45 @@ +libde265 (1.0.4-1ubuntu0.2) focal-security; urgency=medium + + * SECURITY UPDATE: denial-of-service + - debian/patches/CVE-2021-35452.patch: fix check for valid PPS idx. + - CVE-2021-35452 + * SECURITY UPDATE: heap-buffer-overflow + - debian/patches/CVE-2021-36409.patch: fix assertion when reading + invalid scaling_list. + - CVE-2021-36409 + * SECURITY UPDATE: stack-buffer-overflow + - debian/patches/CVE-2021-36410.patch: fix MC with HDR chroma, but + SDR luma. + - CVE-2021-36410 + * SECURITY UPDATE: read-out-of-bounds + - debian/patches/CVE-2021-36411.patch: fix reading invalid images + where shdr references are NULL in part of the image. + - CVE-2021-36411 + * SECURITY UPDATE: stack-buffer-overflow + - debian/patches/CVE-2022-43236.patch: check that image bit-depth + matches SPS bit depth. + - CVE-2022-43235 + - CVE-2022-43236 + - CVE-2022-43248 + - CVE-2022-43253 + * SECURITY UPDATE: stack-buffer-overflow + - debian/patches/CVE-2022-43237.patch: check that image chroma + format matches the SPS chroma format. + - CVE-2022-43237 + - CVE-2022-43243 + - CVE-2022-43252 + * SECURITY UPDATE: read-out-of-bounds + - debian/patches/CVE-2022-43238.patch: check that image size + matches sps. + - CVE-2022-43238 + - CVE-2022-43239 + - CVE-2022-43240 + - CVE-2022-43241 + - CVE-2022-43242 + * Add d/p/fix-invalid-memory-access-after-unavailable-reference-frame-insertion.patch + + -- Fabian Toepfer Tue, 06 Feb 2024 16:51:20 +0100 + libde265 (1.0.4-1ubuntu0.1) focal-security; urgency=medium * SECURITY UPDATE: buffer overflow vulnerability @@ -16,7 +58,7 @@ - CVE-2020-21604 - CVE-2020-21605 * SECURITY UPDATE: use-after-free vulnerability - - debian/patches/CVE-2021-36408: fix streams where SPS image + - debian/patches/CVE-2021-36408.patch: fix streams where SPS image size changes without refreshing PPS. - CVE-2020-21597 - CVE-2020-21598 diff -Nru libde265-1.0.4/debian/patches/CVE-2021-35452.patch libde265-1.0.4/debian/patches/CVE-2021-35452.patch --- libde265-1.0.4/debian/patches/CVE-2021-35452.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2021-35452.patch 2024-02-06 15:43:54.000000000 +0000 @@ -0,0 +1,22 @@ +From e83f3798dd904aa579425c53020c67e03735138d Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 5 Apr 2022 19:35:46 +0200 +Subject: [PATCH] fix check for valid PPS idx (#298) + +--- + libde265/slice.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libde265/slice.cc b/libde265/slice.cc +index cca4d332..aacde0ce 100644 +--- a/libde265/slice.cc ++++ b/libde265/slice.cc +@@ -373,7 +373,7 @@ de265_error slice_segment_header::read(bitreader* br, decoder_context* ctx, + } + + slice_pic_parameter_set_id = get_uvlc(br); +- if (slice_pic_parameter_set_id > DE265_MAX_PPS_SETS || ++ if (slice_pic_parameter_set_id >= DE265_MAX_PPS_SETS || + slice_pic_parameter_set_id == UVLC_ERROR) { + ctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false); + return DE265_OK; diff -Nru libde265-1.0.4/debian/patches/CVE-2021-36409.patch libde265-1.0.4/debian/patches/CVE-2021-36409.patch --- libde265-1.0.4/debian/patches/CVE-2021-36409.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2021-36409.patch 2024-02-06 15:43:54.000000000 +0000 @@ -0,0 +1,53 @@ +From 64d591a6c70737604ca3f5791736fc462cbe8a3c Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 5 Apr 2022 17:53:43 +0200 +Subject: [PATCH] fix assertion when reading invalid scaling_list (#300) + +--- + libde265/sps.cc | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +Index: libde265-1.0.4/libde265/sps.cc +=================================================================== +--- libde265-1.0.4.orig/libde265/sps.cc ++++ libde265-1.0.4/libde265/sps.cc +@@ -885,8 +885,6 @@ de265_error read_scaling_list(bitreader* + uint8_t* curr_scaling_list = scaling_list[matrixId]; + int scaling_list_dc_coef; + +- int canonicalMatrixId = matrixId; +- if (sizeId==3 && matrixId==1) { canonicalMatrixId=3; } + + + //printf("----- matrix %d\n",matrixId); +@@ -894,6 +892,12 @@ de265_error read_scaling_list(bitreader* + char scaling_list_pred_mode_flag = get_bits(br,1); + if (!scaling_list_pred_mode_flag) { + int scaling_list_pred_matrix_id_delta = get_uvlc(br); ++ ++ if (sizeId==3) { ++ // adapt to our changed matrixId for size 3 ++ scaling_list_pred_matrix_id_delta *= 3; ++ } ++ + if (scaling_list_pred_matrix_id_delta == UVLC_ERROR || + scaling_list_pred_matrix_id_delta > matrixId) { + return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE; +@@ -909,15 +913,14 @@ de265_error read_scaling_list(bitreader* + memcpy(curr_scaling_list, default_ScalingList_4x4, 16); + } + else { +- if (canonicalMatrixId<3) ++ if (matrixId<3) + { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); } + else + { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); } + } + } + else { +- // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ? +- if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); } ++ if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==3); } + + int mID = matrixId - scaling_list_pred_matrix_id_delta; + diff -Nru libde265-1.0.4/debian/patches/CVE-2021-36410.patch libde265-1.0.4/debian/patches/CVE-2021-36410.patch --- libde265-1.0.4/debian/patches/CVE-2021-36410.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2021-36410.patch 2024-02-06 15:43:54.000000000 +0000 @@ -0,0 +1,22 @@ +From 697aa4f7c774abd6374596e6707a6f4f54265355 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 5 Apr 2022 19:27:04 +0200 +Subject: [PATCH] fix MC with HDR chroma, but SDR luma (#301) + +--- + libde265/motion.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libde265/motion.cc b/libde265/motion.cc +index deae2400f..8bbfbde0e 100644 +--- a/libde265/motion.cc ++++ b/libde265/motion.cc +@@ -376,7 +376,7 @@ void generate_inter_prediction_samples(base_context* ctx, + refPic->get_luma_stride(), nPbW,nPbH, bit_depth_L); + } + +- if (img->high_bit_depth(0)) { ++ if (img->high_bit_depth(1)) { + mc_chroma(ctx, sps, vi->mv[l].x, vi->mv[l].y, xP,yP, + predSamplesC[0][l],nCS, (const uint16_t*)refPic->get_image_plane(1), + refPic->get_chroma_stride(), nPbW/SubWidthC,nPbH/SubHeightC, bit_depth_C); diff -Nru libde265-1.0.4/debian/patches/CVE-2021-36411.patch libde265-1.0.4/debian/patches/CVE-2021-36411.patch --- libde265-1.0.4/debian/patches/CVE-2021-36411.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2021-36411.patch 2024-02-06 15:43:54.000000000 +0000 @@ -0,0 +1,165 @@ +From 45904e5667c5bf59c67fcdc586dfba110832894c Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 5 Apr 2022 20:00:20 +0200 +Subject: [PATCH] fix reading invalid images where shdr references are NULL in + part of the image (#302) + +--- + libde265/deblock.cc | 127 +++++++++++++++++++++++--------------------- + libde265/sao.cc | 5 +- + 2 files changed, 70 insertions(+), 62 deletions(-) + +diff --git a/libde265/deblock.cc b/libde265/deblock.cc +index 62428832e..60fd2ca1c 100644 +--- a/libde265/deblock.cc ++++ b/libde265/deblock.cc +@@ -295,67 +295,72 @@ void derive_boundaryStrength(de265_image* img, bool vertical, int yStart,int yEn + slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp); + slice_segment_header* shdrQ = img->get_SliceHeader(xDi ,yDi); + +- int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1; +- int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1; +- int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1; +- int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1; +- +- bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) || +- (refPicP0==refPicQ1 && refPicP1==refPicQ0)); +- +- if (!samePics) { +- bS = 1; +- } +- else { +- MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; } +- MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; } +- MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; } +- MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; } +- +- int numMV_P = mviP.predFlag[0] + mviP.predFlag[1]; +- int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1]; +- +- if (numMV_P!=numMV_Q) { +- img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false); +- img->integrity = INTEGRITY_DECODING_ERRORS; +- } +- +- // two different reference pictures or only one reference picture +- if (refPicP0 != refPicP1) { +- +- if (refPicP0 == refPicQ0) { +- if (abs_value(mvP0.x-mvQ0.x) >= 4 || +- abs_value(mvP0.y-mvQ0.y) >= 4 || +- abs_value(mvP1.x-mvQ1.x) >= 4 || +- abs_value(mvP1.y-mvQ1.y) >= 4) { +- bS = 1; +- } +- } +- else { +- if (abs_value(mvP0.x-mvQ1.x) >= 4 || +- abs_value(mvP0.y-mvQ1.y) >= 4 || +- abs_value(mvP1.x-mvQ0.x) >= 4 || +- abs_value(mvP1.y-mvQ0.y) >= 4) { +- bS = 1; +- } +- } +- } +- else { +- assert(refPicQ0==refPicQ1); +- +- if ((abs_value(mvP0.x-mvQ0.x) >= 4 || +- abs_value(mvP0.y-mvQ0.y) >= 4 || +- abs_value(mvP1.x-mvQ1.x) >= 4 || +- abs_value(mvP1.y-mvQ1.y) >= 4) +- && +- (abs_value(mvP0.x-mvQ1.x) >= 4 || +- abs_value(mvP0.y-mvQ1.y) >= 4 || +- abs_value(mvP1.x-mvQ0.x) >= 4 || +- abs_value(mvP1.y-mvQ0.y) >= 4)) { +- bS = 1; +- } +- } +- } ++ if (shdrP && shdrQ) { ++ int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1; ++ int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1; ++ int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1; ++ int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1; ++ ++ bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) || ++ (refPicP0==refPicQ1 && refPicP1==refPicQ0)); ++ ++ if (!samePics) { ++ bS = 1; ++ } ++ else { ++ MotionVector mvP0 = mviP.mv[0]; if (!mviP.predFlag[0]) { mvP0.x=mvP0.y=0; } ++ MotionVector mvP1 = mviP.mv[1]; if (!mviP.predFlag[1]) { mvP1.x=mvP1.y=0; } ++ MotionVector mvQ0 = mviQ.mv[0]; if (!mviQ.predFlag[0]) { mvQ0.x=mvQ0.y=0; } ++ MotionVector mvQ1 = mviQ.mv[1]; if (!mviQ.predFlag[1]) { mvQ1.x=mvQ1.y=0; } ++ ++ int numMV_P = mviP.predFlag[0] + mviP.predFlag[1]; ++ int numMV_Q = mviQ.predFlag[0] + mviQ.predFlag[1]; ++ ++ if (numMV_P!=numMV_Q) { ++ img->decctx->add_warning(DE265_WARNING_NUMMVP_NOT_EQUAL_TO_NUMMVQ, false); ++ img->integrity = INTEGRITY_DECODING_ERRORS; ++ } ++ ++ // two different reference pictures or only one reference picture ++ if (refPicP0 != refPicP1) { ++ ++ if (refPicP0 == refPicQ0) { ++ if (abs_value(mvP0.x-mvQ0.x) >= 4 || ++ abs_value(mvP0.y-mvQ0.y) >= 4 || ++ abs_value(mvP1.x-mvQ1.x) >= 4 || ++ abs_value(mvP1.y-mvQ1.y) >= 4) { ++ bS = 1; ++ } ++ } ++ else { ++ if (abs_value(mvP0.x-mvQ1.x) >= 4 || ++ abs_value(mvP0.y-mvQ1.y) >= 4 || ++ abs_value(mvP1.x-mvQ0.x) >= 4 || ++ abs_value(mvP1.y-mvQ0.y) >= 4) { ++ bS = 1; ++ } ++ } ++ } ++ else { ++ assert(refPicQ0==refPicQ1); ++ ++ if ((abs_value(mvP0.x-mvQ0.x) >= 4 || ++ abs_value(mvP0.y-mvQ0.y) >= 4 || ++ abs_value(mvP1.x-mvQ1.x) >= 4 || ++ abs_value(mvP1.y-mvQ1.y) >= 4) ++ && ++ (abs_value(mvP0.x-mvQ1.x) >= 4 || ++ abs_value(mvP0.y-mvQ1.y) >= 4 || ++ abs_value(mvP1.x-mvQ0.x) >= 4 || ++ abs_value(mvP1.y-mvQ0.y) >= 4)) { ++ bS = 1; ++ } ++ } ++ } ++ } ++ else { ++ bS = 0; // if shdrP==NULL or shdrQ==NULL ++ } + + /* + printf("unimplemented deblocking code for CU at %d;%d\n",xDi,yDi); +diff --git a/libde265/sao.cc b/libde265/sao.cc +index f93fc02a2..ed8676ea2 100644 +--- a/libde265/sao.cc ++++ b/libde265/sao.cc +@@ -353,7 +353,10 @@ void apply_sample_adaptive_offset_sequential(de265_image* img) + for (int xCtb=0; xCtbget_SliceHeaderCtb(xCtb,yCtb); +- if (shdr==NULL) { return; } ++ if (shdr==NULL) { ++ delete[] inputCopy; ++ return; ++ } + + if (cIdx==0 && shdr->slice_sao_luma_flag) { + apply_sao(img, xCtb,yCtb, shdr, 0, 1< +Date: Tue, 24 Jan 2023 15:57:49 +0100 +Subject: [PATCH] MC: check that image bit-depth matches SPS bit depth (#343) + +--- + libde265/de265.cc | 2 ++ + libde265/de265.h | 3 ++- + libde265/motion.cc | 7 +++++++ + 3 files changed, 11 insertions(+), 1 deletion(-) + +Index: libde265-1.0.4/libde265/de265.cc +=================================================================== +--- libde265-1.0.4.orig/libde265/de265.cc ++++ libde265-1.0.4/libde265/de265.cc +@@ -158,6 +158,8 @@ LIBDE265_API const char* de265_get_error + return "collocated motion-vector is outside image area"; + case DE265_WARNING_PCM_BITDEPTH_TOO_LARGE: + return "PCM bit-depth too large"; ++ case DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS: ++ return "Bit-depth of current image does not match SPS"; + + default: return "unknown error"; + } +Index: libde265-1.0.4/libde265/de265.h +=================================================================== +--- libde265-1.0.4.orig/libde265/de265.h ++++ libde265-1.0.4/libde265/de265.h +@@ -136,7 +136,8 @@ typedef enum { + DE265_WARNING_CANNOT_APPLY_SAO_OUT_OF_MEMORY=1024, + DE265_WARNING_SPS_MISSING_CANNOT_DECODE_SEI=1025, + DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026, +- DE265_WARNING_PCM_BITDEPTH_TOO_LARGE=1027 ++ DE265_WARNING_PCM_BITDEPTH_TOO_LARGE=1027, ++ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031 + } de265_error; + + LIBDE265_API const char* de265_get_error_text(de265_error err); +Index: libde265-1.0.4/libde265/motion.cc +=================================================================== +--- libde265-1.0.4.orig/libde265/motion.cc ++++ libde265-1.0.4/libde265/motion.cc +@@ -293,6 +293,13 @@ void generate_inter_prediction_samples(b + const pic_parameter_set* pps = shdr->pps; + const seq_parameter_set* sps = pps->sps; + ++ if (sps->BitDepth_Y != img->get_bit_depth(0) || ++ sps->BitDepth_C != img->get_bit_depth(1)) { ++ img->integrity = INTEGRITY_DECODING_ERRORS; ++ ctx->add_warning(DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS, false); ++ return; ++ } ++ + const int SubWidthC = sps->SubWidthC; + const int SubHeightC = sps->SubHeightC; + diff -Nru libde265-1.0.4/debian/patches/CVE-2022-43237.patch libde265-1.0.4/debian/patches/CVE-2022-43237.patch --- libde265-1.0.4/debian/patches/CVE-2022-43237.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2022-43237.patch 2024-02-06 15:51:20.000000000 +0000 @@ -0,0 +1,54 @@ +From 786bfad50412b28941b6364b4e9968f1ca2d8a76 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 24 Jan 2023 15:02:54 +0100 +Subject: [PATCH] MC: check that image chroma format matches the SPS chroma + format (#339) + +--- + libde265/de265.cc | 2 ++ + libde265/de265.h | 3 ++- + libde265/motion.cc | 6 ++++++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +Index: libde265-1.0.4/libde265/de265.cc +=================================================================== +--- libde265-1.0.4.orig/libde265/de265.cc ++++ libde265-1.0.4/libde265/de265.cc +@@ -160,6 +160,8 @@ LIBDE265_API const char* de265_get_error + return "PCM bit-depth too large"; + case DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS: + return "Bit-depth of current image does not match SPS"; ++ case DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS: ++ return "Chroma format of current image does not match chroma in SPS"; + + default: return "unknown error"; + } +Index: libde265-1.0.4/libde265/de265.h +=================================================================== +--- libde265-1.0.4.orig/libde265/de265.h ++++ libde265-1.0.4/libde265/de265.h +@@ -137,6 +137,7 @@ typedef enum { + DE265_WARNING_SPS_MISSING_CANNOT_DECODE_SEI=1025, + DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026, + DE265_WARNING_PCM_BITDEPTH_TOO_LARGE=1027, ++ DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030, + DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031 + } de265_error; + +Index: libde265-1.0.4/libde265/motion.cc +=================================================================== +--- libde265-1.0.4.orig/libde265/motion.cc ++++ libde265-1.0.4/libde265/motion.cc +@@ -300,6 +300,12 @@ void generate_inter_prediction_samples(b + return; + } + ++ if (sps->chroma_format_idc != img->get_chroma_format()) { ++ img->integrity = INTEGRITY_DECODING_ERRORS; ++ ctx->add_warning(DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS, false); ++ return; ++ } ++ + const int SubWidthC = sps->SubWidthC; + const int SubHeightC = sps->SubHeightC; + diff -Nru libde265-1.0.4/debian/patches/CVE-2022-43238.patch libde265-1.0.4/debian/patches/CVE-2022-43238.patch --- libde265-1.0.4/debian/patches/CVE-2022-43238.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2022-43238.patch 2024-02-06 15:51:20.000000000 +0000 @@ -0,0 +1,53 @@ +From f49d850d2ffadca0fb1e789051b04caf7f303fec Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Tue, 24 Jan 2023 12:49:16 +0100 +Subject: [PATCH] fix poc7-2 (#341). poc7-1 is already fixed in (#373) + +--- + libde265/de265.cc | 2 ++ + libde265/de265.h | 3 ++- + libde265/motion.cc | 6 ++++++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +Index: libde265-1.0.4/libde265/de265.cc +=================================================================== +--- libde265-1.0.4.orig/libde265/de265.cc ++++ libde265-1.0.4/libde265/de265.cc +@@ -162,6 +162,8 @@ LIBDE265_API const char* de265_get_error + return "Bit-depth of current image does not match SPS"; + case DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS: + return "Chroma format of current image does not match chroma in SPS"; ++ case DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS: ++ return "Size of reference image does not match current size in SPS"; + + default: return "unknown error"; + } +Index: libde265-1.0.4/libde265/de265.h +=================================================================== +--- libde265-1.0.4.orig/libde265/de265.h ++++ libde265-1.0.4/libde265/de265.h +@@ -137,6 +137,7 @@ typedef enum { + DE265_WARNING_SPS_MISSING_CANNOT_DECODE_SEI=1025, + DE265_WARNING_COLLOCATED_MOTION_VECTOR_OUTSIDE_IMAGE_AREA=1026, + DE265_WARNING_PCM_BITDEPTH_TOO_LARGE=1027, ++ DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029, + DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030, + DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031 + } de265_error; +Index: libde265-1.0.4/libde265/motion.cc +=================================================================== +--- libde265-1.0.4.orig/libde265/motion.cc ++++ libde265-1.0.4/libde265/motion.cc +@@ -368,6 +368,12 @@ void generate_inter_prediction_samples(b + + // TODO: fill predSamplesC with black or grey + } ++ else if (refPic->get_width(0) != sps->pic_width_in_luma_samples || ++ refPic->get_height(0) != sps->pic_height_in_luma_samples || ++ img->get_chroma_format() != refPic->get_chroma_format()) { ++ img->integrity = INTEGRITY_DECODING_ERRORS; ++ ctx->add_warning(DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS, false); ++ } + else { + // 8.5.3.2.2 + diff -Nru libde265-1.0.4/debian/patches/fix-invalid-memory-access-after-unavailable-reference-frame-insertion.patch libde265-1.0.4/debian/patches/fix-invalid-memory-access-after-unavailable-reference-frame-insertion.patch --- libde265-1.0.4/debian/patches/fix-invalid-memory-access-after-unavailable-reference-frame-insertion.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/fix-invalid-memory-access-after-unavailable-reference-frame-insertion.patch 2024-02-06 15:49:31.000000000 +0000 @@ -0,0 +1,32 @@ +commit ee8e09a7f6f65b7c409c7801ad64918a2925ed9b +Author: Dirk Farin +Date: Fri May 4 10:39:28 2018 +0200 + + fix invalid memory access after unavailable reference frame insertion + + (cherry picked from commit 5f0d9daac7793c0156686851f5ee868de1f8fbe8) + +--- libde265-1.0.4.orig/libde265/decctx.cc ++++ libde265-1.0.4/libde265/decctx.cc +@@ -1657,9 +1657,8 @@ void decoder_context::process_reference_ + PocStCurrBefore[i], false); + RefPicSetStCurrBefore[i] = k = concealedPicture; + +- if (concealedPicture < picInAnyList.size()) { +- picInAnyList[concealedPicture] = true; +- } ++ picInAnyList.resize(dpb.size(), false); // adjust size of array to hold new picture ++ picInAnyList[concealedPicture] = true; + + //printf(" concealed: %d\n", concealedPicture); + } +@@ -1680,6 +1679,9 @@ void decoder_context::process_reference_ + int concealedPicture = generate_unavailable_reference_picture(current_sps.get(), + PocStCurrAfter[i], false); + RefPicSetStCurrAfter[i] = k = concealedPicture; ++ ++ ++ picInAnyList.resize(dpb.size(), false); // adjust size of array to hold new picture + picInAnyList[concealedPicture]=true; + + //printf(" concealed: %d\n", concealedPicture); diff -Nru libde265-1.0.4/debian/patches/series libde265-1.0.4/debian/patches/series --- libde265-1.0.4/debian/patches/series 2024-01-26 19:57:57.000000000 +0000 +++ libde265-1.0.4/debian/patches/series 2024-02-06 15:51:20.000000000 +0000 @@ -4,3 +4,11 @@ CVE-2020-21596.patch CVE-2020-21605.patch CVE-2021-36408.patch +CVE-2021-35452.patch +CVE-2021-36409.patch +CVE-2021-36410.patch +CVE-2021-36411.patch +CVE-2022-43236.patch +CVE-2022-43237.patch +CVE-2022-43238.patch +fix-invalid-memory-access-after-unavailable-reference-frame-insertion.patch