diff -Nru libde265-1.0.4/debian/changelog libde265-1.0.4/debian/changelog --- libde265-1.0.4/debian/changelog 2024-02-14 19:39:49.000000000 +0000 +++ libde265-1.0.4/debian/changelog 2024-03-01 09:52:18.000000000 +0000 @@ -1,3 +1,37 @@ +libde265 (1.0.4-1ubuntu0.4) focal-security; urgency=medium + + * SECURITY UPDATE: denial-of-service + - debian/patches/CVE-2023-27102.patch: check whether referenced + PPS exists. + - CVE-2023-27102 + * SECURITY UPDATE: heap-buffer-overflow + - debian/patches/CVE-2023-27103.patch: check for valid slice + header index access. + - CVE-2023-27103 + * SECURITY UPDATE: buffer overflow + - debian/patches/CVE-2023-43887.patch: fix buffer overflow via the + num_tile_columns and num_tile_row parameters in the function + pic_parameter_set::dump. + - CVE-2023-43887 + * SECURITY UPDATE: buffer overflow + - debian/patches/CVE-2023-47471.patch: check for null-pointer in + functon slice_segment_header::dump_slice_segment_header. + - CVE-2023-47471 + * SECURITY UPDATE: heap-buffer-overflow + - debian/patches/CVE-2023-49465.patch: fix buffer overflow via the + derive_spatial_luma_vector_prediction function. + - CVE-2023-49465 + * SECURITY UPDATE: heap-buffer-overflow + - debian/patches/CVE-2023-49467.patch: prevent endless loop in + decode_ref_idx_lX function when numRefIdxLXActive is invalid. + - CVE-2023-49467 + * SECURITY UPDATE: buffer overflow + - debian/patches/CVE-2023-49468.patch: sanitize values if IPM is + uninitialized in get_IntraPredMode function. + - CVE-2023-49468 + + -- Fabian Toepfer Fri, 01 Mar 2024 10:52:18 +0100 + libde265 (1.0.4-1ubuntu0.3) focal-security; urgency=medium * SECURITY UPDATE: read-out-of-bounds diff -Nru libde265-1.0.4/debian/patches/CVE-2023-27102.patch libde265-1.0.4/debian/patches/CVE-2023-27102.patch --- libde265-1.0.4/debian/patches/CVE-2023-27102.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2023-27102.patch 2024-03-01 09:35:03.000000000 +0000 @@ -0,0 +1,26 @@ +From 0b1752abff97cb542941d317a0d18aa50cb199b1 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Sat, 4 Mar 2023 10:32:43 +0100 +Subject: [PATCH] check whether referenced PPS exists (fixes #393) + +--- + libde265/decctx.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: libde265/libde265/decctx.cc +=================================================================== +--- libde265.orig/libde265/decctx.cc ++++ libde265/libde265/decctx.cc +@@ -2276,9 +2276,10 @@ bool decoder_context::process_slice_segm + // get PPS and SPS for this slice + + int pps_id = hdr->slice_pic_parameter_set_id; +- if (pps[pps_id]->pps_read==false) { ++ if (pps[pps_id]==nullptr || pps[pps_id]->pps_read==false) { + logerror(LogHeaders, "PPS %d has not been read\n", pps_id); +- assert(false); // TODO ++ img->decctx->add_warning(DE265_WARNING_NONEXISTING_PPS_REFERENCED, false); ++ return false; + } + + current_pps = pps[pps_id]; diff -Nru libde265-1.0.4/debian/patches/CVE-2023-27103.patch libde265-1.0.4/debian/patches/CVE-2023-27103.patch --- libde265-1.0.4/debian/patches/CVE-2023-27103.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2023-27103.patch 2024-03-01 09:36:58.000000000 +0000 @@ -0,0 +1,53 @@ +From d6bf73e765b7a23627bfd7a8645c143fd9097995 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Sat, 4 Mar 2023 10:27:59 +0100 +Subject: [PATCH] check for valid slice header index access (fixes #394) + +--- + libde265/de265.cc | 2 ++ + libde265/de265.h | 3 ++- + libde265/motion.cc | 10 ++++++++++ + 3 files changed, 14 insertions(+), 1 deletion(-) + +--- libde265-1.0.4.orig/libde265/de265.cc ++++ libde265-1.0.4/libde265/de265.cc +@@ -166,6 +166,8 @@ LIBDE265_API const char* de265_get_error + return "Size of reference image does not match current size in SPS"; + case DE265_WARNING_REFERENCE_IMAGE_BIT_DEPTH_DOES_NOT_MATCH: + return "Bit-depth of reference image does not match current image"; ++ case DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS: ++ return "Access with invalid slice header index"; + + default: return "unknown error"; + } +--- libde265-1.0.4.orig/libde265/de265.h ++++ libde265-1.0.4/libde265/de265.h +@@ -140,7 +140,8 @@ typedef enum { + DE265_WARNING_REFERENCE_IMAGE_BIT_DEPTH_DOES_NOT_MATCH=1028, + DE265_WARNING_REFERENCE_IMAGE_SIZE_DOES_NOT_MATCH_SPS=1029, + DE265_WARNING_CHROMA_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1030, +- DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031 ++ DE265_WARNING_BIT_DEPTH_OF_CURRENT_IMAGE_DOES_NOT_MATCH_SPS=1031, ++ DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS=1033 + } de265_error; + + LIBDE265_API const char* de265_get_error_text(de265_error err); +--- libde265-1.0.4.orig/libde265/motion.cc ++++ libde265-1.0.4/libde265/motion.cc +@@ -1272,6 +1272,16 @@ void derive_collocated_motion_vectors(ba + + + ++ int slice_hdr_idx = colImg->get_SliceHeaderIndex(xColPb,yColPb); ++ if (slice_hdr_idx >= colImg->slices.size()) { ++ ctx->add_warning(DE265_WARNING_INVALID_SLICE_HEADER_INDEX_ACCESS, false); ++ ++ *out_availableFlagLXCol = 0; ++ out_mvLXCol->x = 0; ++ out_mvLXCol->y = 0; ++ return; ++ } ++ + const slice_segment_header* colShdr = colImg->slices[ colImg->get_SliceHeaderIndex(xColPb,yColPb) ]; + + if (shdr->LongTermRefPic[X][refIdxLX] != diff -Nru libde265-1.0.4/debian/patches/CVE-2023-43887.patch libde265-1.0.4/debian/patches/CVE-2023-43887.patch --- libde265-1.0.4/debian/patches/CVE-2023-43887.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2023-43887.patch 2024-03-01 09:37:10.000000000 +0000 @@ -0,0 +1,35 @@ +From 63b596c915977f038eafd7647d1db25488a8c133 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Fri, 1 Sep 2023 21:18:48 +0200 +Subject: [PATCH] fix #418 + +--- + libde265/decctx.cc | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +Index: libde265/libde265/decctx.cc +=================================================================== +--- libde265.orig/libde265/decctx.cc ++++ libde265/libde265/decctx.cc +@@ -854,16 +854,17 @@ de265_error decoder_context::read_pps_NA + std::shared_ptr new_pps = std::make_shared(); + + bool success = new_pps->read(&reader,this); ++ if (!success) { ++ return DE265_WARNING_PPS_HEADER_INVALID; ++ } + + if (param_pps_headers_fd>=0) { + new_pps->dump(param_pps_headers_fd); + } + +- if (success) { +- pps[ (int)new_pps->pic_parameter_set_id ] = new_pps; +- } ++ pps[ (int)new_pps->pic_parameter_set_id ] = new_pps; + +- return success ? DE265_OK : DE265_WARNING_PPS_HEADER_INVALID; ++ return DE265_OK; + } + + de265_error decoder_context::read_sei_NAL(bitreader& reader, bool suffix) diff -Nru libde265-1.0.4/debian/patches/CVE-2023-47471.patch libde265-1.0.4/debian/patches/CVE-2023-47471.patch --- libde265-1.0.4/debian/patches/CVE-2023-47471.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2023-47471.patch 2024-03-01 09:37:21.000000000 +0000 @@ -0,0 +1,38 @@ +From e36b4a1b0bafa53df47514c419d5be3e8916ebc7 Mon Sep 17 00:00:00 2001 +From: Dirk Farin +Date: Sat, 4 Nov 2023 15:20:50 +0100 +Subject: [PATCH] null-pointer check in debug output (fixes #426) + +--- + libde265/slice.cc | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +Index: libde265/libde265/slice.cc +=================================================================== +--- libde265.orig/libde265/slice.cc ++++ libde265/libde265/slice.cc +@@ -1277,14 +1277,23 @@ void slice_segment_header::dump_slice_se + #define LOG3(t,d1,d2,d3) log2fh(fh, t,d1,d2,d3) + #define LOG4(t,d1,d2,d3,d4) log2fh(fh, t,d1,d2,d3,d4) + ++ LOG0("----------------- SLICE -----------------\n"); ++ + const pic_parameter_set* pps = ctx->get_pps(slice_pic_parameter_set_id); ++ if (!pps) { ++ LOG0("invalid PPS referenced\n"); ++ return; ++ } + assert(pps->pps_read); // TODO: error handling + + const seq_parameter_set* sps = ctx->get_sps((int)pps->seq_parameter_set_id); ++ if (!sps) { ++ LOG0("invalid SPS referenced\n"); ++ return; ++ } + assert(sps->sps_read); // TODO: error handling + + +- LOG0("----------------- SLICE -----------------\n"); + LOG1("first_slice_segment_in_pic_flag : %d\n", first_slice_segment_in_pic_flag); + if (ctx->get_nal_unit_type() >= NAL_UNIT_BLA_W_LP && + ctx->get_nal_unit_type() <= NAL_UNIT_RESERVED_IRAP_VCL23) { diff -Nru libde265-1.0.4/debian/patches/CVE-2023-49465.patch libde265-1.0.4/debian/patches/CVE-2023-49465.patch --- libde265-1.0.4/debian/patches/CVE-2023-49465.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2023-49465.patch 2024-03-01 09:37:28.000000000 +0000 @@ -0,0 +1,26 @@ +commit 1475c7d2f0a6dc35c27e18abc4db9679bfd32568 +Author: Dirk Farin +Date: Thu Nov 23 19:43:55 2023 +0100 + + possible fix for #435 + +Index: libde265-1.0.11/libde265/motion.cc +=================================================================== +--- libde265-1.0.11.orig/libde265/motion.cc 2023-12-26 00:57:38.881002145 +0100 ++++ libde265-1.0.11/libde265/motion.cc 2023-12-26 00:57:38.877002144 +0100 +@@ -1859,7 +1859,14 @@ + logmvcand(vi); + + const de265_image* imgX = NULL; +- if (vi.predFlag[X]) imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]); ++ if (vi.predFlag[X]) { ++ if (vi.refIdx[X] < 0 || vi.refIdx[X] >= MAX_NUM_REF_PICS) { ++ return; ++ } ++ ++ imgX = ctx->get_image(shdr->RefPicList[X][ vi.refIdx[X] ]); ++ } ++ + const de265_image* imgY = NULL; + if (vi.predFlag[Y]) imgY = ctx->get_image(shdr->RefPicList[Y][ vi.refIdx[Y] ]); + diff -Nru libde265-1.0.4/debian/patches/CVE-2023-49467.patch libde265-1.0.4/debian/patches/CVE-2023-49467.patch --- libde265-1.0.4/debian/patches/CVE-2023-49467.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2023-49467.patch 2024-03-01 09:37:32.000000000 +0000 @@ -0,0 +1,22 @@ +commit 7e4faf254bbd2e52b0f216cb987573a2cce97b54 +Author: Dirk Farin +Date: Thu Nov 23 19:38:34 2023 +0100 + + prevent endless loop for #434 input + +diff --git a/libde265/slice.cc b/libde265/slice.cc +index 435123dc..3a8a8de1 100644 +--- a/libde265/slice.cc ++++ b/libde265/slice.cc +@@ -2582,6 +2582,11 @@ static int decode_rqt_root_cbf(thread_context* tctx) + + static int decode_ref_idx_lX(thread_context* tctx, int numRefIdxLXActive) + { ++ // prevent endless loop when 'numRefIdxLXActive' is invalid ++ if (numRefIdxLXActive <= 1) { ++ return 0; ++ } ++ + logtrace(LogSlice,"# ref_idx_lX\n"); + + int cMax = numRefIdxLXActive-1; diff -Nru libde265-1.0.4/debian/patches/CVE-2023-49468.patch libde265-1.0.4/debian/patches/CVE-2023-49468.patch --- libde265-1.0.4/debian/patches/CVE-2023-49468.patch 1970-01-01 00:00:00.000000000 +0000 +++ libde265-1.0.4/debian/patches/CVE-2023-49468.patch 2024-03-01 09:37:38.000000000 +0000 @@ -0,0 +1,26 @@ +commit 3e822a3ccf88df1380b165d6ce5a00494a27ceeb +Author: Dirk Farin +Date: Thu Nov 23 19:11:34 2023 +0100 + + fix #432 (undefined IPM) + +diff --git a/libde265/image.h b/libde265/image.h +index 0b536054..0a0c0e32 100644 +--- a/libde265/image.h ++++ b/libde265/image.h +@@ -624,7 +624,14 @@ public: + + enum IntraPredMode get_IntraPredMode(int x,int y) const + { +- return (enum IntraPredMode)intraPredMode.get(x,y); ++ uint8_t ipm = intraPredMode.get(x,y); ++ ++ // sanitize values if IPM is uninitialized (because of earlier read error) ++ if (ipm > 34) { ++ ipm = 0; ++ } ++ ++ return static_cast(ipm); + } + + enum IntraPredMode get_IntraPredMode_atIndex(int idx) const diff -Nru libde265-1.0.4/debian/patches/series libde265-1.0.4/debian/patches/series --- libde265-1.0.4/debian/patches/series 2024-02-14 19:09:29.000000000 +0000 +++ libde265-1.0.4/debian/patches/series 2024-03-01 09:37:38.000000000 +0000 @@ -21,3 +21,10 @@ CVE-2023-24755.patch CVE-2023-25221.patch check-for-negative-q-values-in-invalid-input-streams.patch +CVE-2023-27102.patch +CVE-2023-27103.patch +CVE-2023-43887.patch +CVE-2023-47471.patch +CVE-2023-49465.patch +CVE-2023-49467.patch +CVE-2023-49468.patch