On 2023-01-22 13:30:00 +0100, Tobias Frost wrote: > Package: libde265 > Version: 1.0.9-1 > Severity: normal > Tags: patch pending > > > Dear maintainer, > > I've prepared an NMU for libde265 (versioned as 1.0.9-1.1) and > uploaded it to DELAYED/2. Please feel free to tell me if I > should delay it longer.
Thanks for working on the issue. Feel free to directly upload it to unstable / reschedule to DELAYED/0. Cheers > > Regards. > > diff -Nru libde265-1.0.9/debian/changelog libde265-1.0.9/debian/changelog > --- libde265-1.0.9/debian/changelog 2022-10-25 10:15:37.000000000 +0200 > +++ libde265-1.0.9/debian/changelog 2023-01-22 13:19:20.000000000 +0100 > @@ -1,7 +1,35 @@ > +libde265 (1.0.9-1.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Apply patches to mitigate asan failures: > + reject_reference_pics_from_different_sps.patch and > + use_sps_from_the_image.patch. > + * Combined, this two patches fixes: > + - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816) > + - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, > + CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, > + CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179) > + - CVE-2022-47655 > + * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting > + valid video streams due to > reject_reference_pics_from_different_sps.patch. > + * Modifying past changelog entries to indicate when vulnerabilities were > + fixed: > + - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999 > + - In 1.0.3-1, 1 CVE, see #1029396 > + * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev > + (Closes: #981260) > + > + -- Tobias Frost <t...@debian.org> Sun, 22 Jan 2023 13:19:20 +0100 > + > libde265 (1.0.9-1) unstable; urgency=medium > > * Add "Rules-Requires-Root: no". > - * New upstream version 1.0.9 > + * New upstream version 1.0.9. > + Bisecting shows that this version fixed this CVES: > + - CVE-2020-21598, CVE-2020-21600, CVE-2020-21602 (Closes: #1004963) > + - CVE-2020-21595, CVE-2020-21597, CVE-2020-21599, CVE-2020-21601, > + CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606 > + (Closes: #1014999) > * Remove patches now part of upstream release. > * Bump "Standards-Version" to 4.6.1 > * Add patch to provide "gl_VISIBILITY" macro. > @@ -78,6 +106,7 @@ > > [ Joachim Bauch ] > * Imported Upstream version 1.0.3 > + This version fixes CVE-2020-21594. (Closes: #1029396) > * Update patches for new upstream version. > * Update symbols for new upstream version. > * Update standards version and switch to debhelper 10. > diff -Nru libde265-1.0.9/debian/control libde265-1.0.9/debian/control > --- libde265-1.0.9/debian/control 2022-10-25 10:15:37.000000000 +0200 > +++ libde265-1.0.9/debian/control 2023-01-22 13:04:40.000000000 +0100 > @@ -7,14 +7,11 @@ > Joachim Bauch <ba...@struktur.de> > Build-Depends: > debhelper-compat (= 13), > - libjpeg-dev, > - libpng-dev, > qtbase5-dev | libqt4-dev, > libsdl-dev, > libswscale-dev, > libx11-dev, > libxext-dev, > - libxv-dev, > pkg-config > Rules-Requires-Root: no > Standards-Version: 4.6.1 > diff -Nru libde265-1.0.9/debian/.gitlab-ci.yml > libde265-1.0.9/debian/.gitlab-ci.yml > --- libde265-1.0.9/debian/.gitlab-ci.yml 1970-01-01 01:00:00.000000000 > +0100 > +++ libde265-1.0.9/debian/.gitlab-ci.yml 2023-01-21 18:01:58.000000000 > +0100 > @@ -0,0 +1,3 @@ > +include: > + - > https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml > + > diff -Nru libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch > libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch > --- libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch > 2023-01-22 13:19:20.000000000 +0100 > @@ -0,0 +1,340 @@ > +Description: Don't update sps if they are only repeated > +Origin: https://github.com/strukturag/libde265/pull/372 > +From 51f07f132f29832e025a8b913b61cbd20257c5fc Mon Sep 17 00:00:00 2001 > +From: Tobias Frost <t...@debian.org> > +Date: Fri, 13 Jan 2023 12:22:45 +0100 > +Subject: [PATCH] Don't update sps if they are only repeated > + > +This is an attempt to improve the mitigations from #365 and #366 and picks > up an idea I described at #345: > + > +> One way would be just to look at the pointers of the SPS (fast and easy, > but > +> may reject more than required), or investigate if the SPS used for the > image > +> generations are "compatible". > + > +This changes do exactly this: It (very conservativly) checks if the old and > new sps have > +identical information -- except the reference picture set, which I believe > is supposed > +to be updated by new sps'). If they are basically identical, the old sps > will be > +used instead of the new one, (of course, reference image set is updated from > the new one) > + > +I'm using standalone operator== and helper functions to avoid changing ABI > of the library; > +if an ABI bump would be done, of course this should go to the respective > classes. > +--- > + libde265/decctx.cc | 273 +++++++++++++++++++++++++++++++++++++++++++++ > + libde265/sps.cc | 6 + > + 2 files changed, 279 insertions(+) > + > +diff --git a/libde265/decctx.cc b/libde265/decctx.cc > +index 6701725f..0000b25d 100644 > +--- a/libde265/decctx.cc > ++++ b/libde265/decctx.cc > +@@ -545,6 +545,263 @@ de265_error decoder_context::read_vps_NAL(bitreader& > reader) > + return DE265_OK; > + } > + > ++// implemented as freestanding functions to avoid changing API > ++ > ++bool operator==(const profile_data &lhs, const profile_data &rhs) { > ++ if(&lhs == &rhs) return true; > ++ if(lhs.profile_present_flag != rhs.profile_present_flag ) return false; > ++ if(lhs.profile_present_flag) { > ++ if(lhs.profile_space != rhs.profile_space ) return false; > ++ if(lhs.tier_flag != rhs.tier_flag ) return false; > ++ if(lhs.profile_idc != rhs.profile_idc ) return false; > ++ > ++ if(memcmp(lhs.profile_compatibility_flag, > rhs.profile_compatibility_flag, sizeof(rhs.profile_compatibility_flag)) ) > return false; > ++ > ++ if(lhs.progressive_source_flag != rhs.progressive_source_flag ) > return false; > ++ if(lhs.interlaced_source_flag != rhs.interlaced_source_flag ) > return false; > ++ if(lhs.non_packed_constraint_flag != > rhs.non_packed_constraint_flag ) return false; > ++ if(lhs.frame_only_constraint_flag != > rhs.frame_only_constraint_flag ) return false; > ++ } > ++ > ++ if(lhs.level_present_flag != rhs.level_present_flag) return false; > ++ if(lhs.level_present_flag && lhs.level_idc != rhs.level_idc ) return > false; > ++ > ++ return true; > ++} > ++ > ++bool operator!=(const profile_data &lhs, const profile_data &rhs) { > ++ if(&lhs == &rhs) return false; > ++ return (!(lhs==rhs)); > ++} > ++ > ++// class does not store max_sub_layers, so operator == cannot be done. > ++bool isEqual(const profile_tier_level &lhs , const profile_tier_level &rhs, > int sps_max_sub_layers ) { > ++ if(&lhs == &rhs) return true; > ++ > ++ if(lhs.general != rhs.general ) return false; > ++ for(int i = 0 ; i < sps_max_sub_layers; i++ ) { > ++ if(lhs.sub_layer[i] != rhs.sub_layer[i]) return false; > ++ } > ++ return true; > ++} > ++ > ++bool isEqual(const video_usability_information &lhs, const > video_usability_information &rhs, const seq_parameter_set &sps) { > ++ if(&lhs == &rhs) return true; > ++ > ++ // not seen yet if(lhs.nal_hrd_parameters_present_flag != > rhs.nal_hrd_parameters_present_flag ) return false; > ++ > ++ // populated by video_usability_information::read() > ++ if(lhs.aspect_ratio_info_present_flag != > rhs.aspect_ratio_info_present_flag ) return false; > ++ if(lhs.aspect_ratio_info_present_flag) { > ++ if(lhs.sar_width != rhs.sar_width ) return false; > ++ if(lhs.sar_height != rhs.sar_height ) return false; > ++ } > ++ > ++ if(lhs.overscan_info_present_flag != rhs.overscan_info_present_flag ) > return false; > ++ if(lhs.overscan_info_present_flag) { > ++ if(lhs.overscan_appropriate_flag != > rhs.overscan_appropriate_flag ) return false; > ++ } > ++ > ++ if(lhs.video_signal_type_present_flag != > rhs.video_signal_type_present_flag ) return false; > ++ if(lhs.video_signal_type_present_flag) { > ++ if(lhs.video_format != rhs.video_format ) return false; > ++ if(lhs.video_full_range_flag != rhs.video_full_range_flag) > return false; > ++ if(lhs.colour_description_present_flag != > rhs.colour_description_present_flag) return false; > ++ if(lhs.colour_primaries != rhs.colour_primaries ) return false; > ++ if(lhs.transfer_characteristics != rhs.transfer_characteristics > ) return false; > ++ if(lhs.matrix_coeffs != rhs.matrix_coeffs ) return false; > ++ } > ++ > ++ if(lhs.chroma_loc_info_present_flag != rhs.chroma_loc_info_present_flag > ) return false; > ++ if(lhs.chroma_loc_info_present_flag) { > ++ if(lhs.chroma_sample_loc_type_top_field != > rhs.chroma_sample_loc_type_top_field ) return false; > ++ if(lhs.chroma_sample_loc_type_bottom_field != > rhs.chroma_sample_loc_type_bottom_field ) return false; > ++ } > ++ if(lhs.neutral_chroma_indication_flag != > rhs.neutral_chroma_indication_flag ) return false; > ++ if(lhs.field_seq_flag != rhs.field_seq_flag ) return false; > ++ if(lhs.frame_field_info_present_flag != > rhs.frame_field_info_present_flag ) return false; > ++ > ++ if(lhs.default_display_window_flag != rhs.default_display_window_flag ) > return false; > ++ if(lhs.default_display_window_flag) { > ++ if(lhs.def_disp_win_left_offset != rhs.def_disp_win_left_offset > ) return false; > ++ if(lhs.def_disp_win_right_offset != > rhs.def_disp_win_right_offset ) return false; > ++ if(lhs.def_disp_win_top_offset != rhs.def_disp_win_top_offset ) > return false; > ++ if(lhs.def_disp_win_bottom_offset != > rhs.def_disp_win_bottom_offset ) return false; > ++ } > ++ > ++ if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag > ) return false; > ++ if(lhs.vui_timing_info_present_flag) { > ++ if(lhs.vui_num_units_in_tick != rhs.vui_num_units_in_tick ) > return false; > ++ if(lhs.vui_time_scale != rhs.vui_time_scale ) return false; > ++ if(lhs.vui_timing_info_present_flag != > rhs.vui_timing_info_present_flag ) return false; > ++ if(lhs.vui_timing_info_present_flag) { > ++ if(lhs.vui_num_ticks_poc_diff_one != > rhs.vui_num_ticks_poc_diff_one ) return false; > ++ } > ++ } > ++ > ++ if(lhs.vui_hrd_parameters_present_flag != > rhs.vui_hrd_parameters_present_flag ) return false; > ++ > ++ > ++ if(lhs.vui_hrd_parameters_present_flag) { > ++ // check things made by hrd_parametes > ++ > ++ if(lhs.vui_hrd_parameters_present_flag != > rhs.vui_hrd_parameters_present_flag ) return false; > ++ if(lhs.vcl_hrd_parameters_present_flag != > rhs.vcl_hrd_parameters_present_flag ) return false; > ++ > ++ if(lhs.nal_hrd_parameters_present_flag || > lhs.vcl_hrd_parameters_present_flag) { > ++ if(lhs.sub_pic_hrd_params_present_flag != > rhs.sub_pic_hrd_params_present_flag ) return false; > ++ if(lhs.sub_pic_hrd_params_present_flag) { > ++ if(lhs.tick_divisor_minus2 != > rhs.tick_divisor_minus2 ) return false; > ++ > if(lhs.du_cpb_removal_delay_increment_length_minus1 != > rhs.du_cpb_removal_delay_increment_length_minus1 ) return false; > ++ > if(lhs.sub_pic_cpb_params_in_pic_timing_sei_flag != > rhs.sub_pic_cpb_params_in_pic_timing_sei_flag ) return false; > ++ if(lhs.dpb_output_delay_du_length_minus1 != > rhs.dpb_output_delay_du_length_minus1 ) return false; > ++ } > ++ if(lhs.bit_rate_scale != rhs.bit_rate_scale ) return > false; > ++ if(lhs.cpb_size_scale != rhs.cpb_size_scale ) return > false; > ++ if(lhs.sub_pic_hrd_params_present_flag) { > ++ if(lhs.cpb_size_du_scale != > rhs.cpb_size_du_scale ) return false; > ++ } > ++ if(lhs.initial_cpb_removal_delay_length_minus1 != > rhs.initial_cpb_removal_delay_length_minus1 ) return false; > ++ if(lhs.au_cpb_removal_delay_length_minus1 != > rhs.au_cpb_removal_delay_length_minus1 ) return false; > ++ if(lhs.dpb_output_delay_length_minus1 != > rhs.dpb_output_delay_length_minus1 ) return false; > ++ } > ++ > ++ int i; > ++ unsigned int j, nalOrVcl; > ++ > ++ for (i = 0; i < sps.sps_max_sub_layers; i++) { > ++ if(lhs.fixed_pic_rate_general_flag[i] != > rhs.fixed_pic_rate_general_flag[i] ) return false; > ++ if(lhs.fixed_pic_rate_general_flag[i]) { > ++ if(lhs.elemental_duration_in_tc_minus1[i] != > rhs.elemental_duration_in_tc_minus1[i] ) return false; > ++ } > ++ if(lhs.low_delay_hrd_flag[i] != > rhs.low_delay_hrd_flag[i] ) return false; > ++ if(lhs.cpb_cnt_minus1[i] != rhs.cpb_cnt_minus1[i] ) > return false; > ++ > ++ for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++) { > ++ if (((nalOrVcl == 0) && > lhs.nal_hrd_parameters_present_flag) || ((nalOrVcl == 1) && > lhs.vcl_hrd_parameters_present_flag)) { > ++ for (j = 0; j <= lhs.cpb_cnt_minus1[i]; > j++) { > ++ > if(lhs.bit_rate_value_minus1[i][j][nalOrVcl] != > rhs.bit_rate_value_minus1[i][j][nalOrVcl]) return false; > ++ > if(lhs.cpb_size_value_minus1[i][j][nalOrVcl] != > rhs.cpb_size_value_minus1[i][j][nalOrVcl]) return false; > ++ > ++ if > (lhs.sub_pic_hrd_params_present_flag) { > ++ > if(lhs.cpb_size_du_value_minus1[i][j][nalOrVcl] != > rhs.cpb_size_du_value_minus1[i][j][nalOrVcl]) return false; > ++ > if(lhs.bit_rate_du_value_minus1[i][j][nalOrVcl] != > rhs.bit_rate_du_value_minus1[i][j][nalOrVcl]) return false; > ++ } > ++ if( > lhs.cbr_flag[i][j][nalOrVcl] != rhs.cbr_flag[i][j][nalOrVcl]) return false; > ++ } > ++ } > ++ } > ++ } > ++ } > ++ return true; > ++} > ++ > ++bool operator==(const sps_range_extension &lhs, const sps_range_extension > &rhs) { > ++ if(&lhs == &rhs) return true; > ++ if(lhs.transform_skip_rotation_enabled_flag != > rhs.transform_skip_rotation_enabled_flag ) return false; > ++ if(lhs.transform_skip_context_enabled_flag != > rhs.transform_skip_context_enabled_flag ) return false; > ++ if(lhs.implicit_rdpcm_enabled_flag != rhs.implicit_rdpcm_enabled_flag ) > return false; > ++ if(lhs.explicit_rdpcm_enabled_flag != rhs.explicit_rdpcm_enabled_flag ) > return false; > ++ if(lhs.extended_precision_processing_flag != > rhs.extended_precision_processing_flag ) return false; > ++ if(lhs.intra_smoothing_disabled_flag != > rhs.intra_smoothing_disabled_flag ) return false; > ++ if(lhs.high_precision_offsets_enabled_flag != > rhs.high_precision_offsets_enabled_flag ) return false; > ++ if(lhs.persistent_rice_adaptation_enabled_flag != > rhs.persistent_rice_adaptation_enabled_flag ) return false; > ++ if(lhs.cabac_bypass_alignment_enabled_flag != > rhs.cabac_bypass_alignment_enabled_flag ) return false; > ++ return true; > ++} > ++ > ++bool operator!=(const sps_range_extension &lhs, const sps_range_extension > &rhs) { > ++ if(&lhs == &rhs) return false; > ++ return !(lhs==rhs); > ++} > ++ > ++ > ++bool operator==(const seq_parameter_set &lhs, const seq_parameter_set &rhs) > { > ++ > ++ if(&lhs== &rhs) return true; > ++ > ++ if(lhs.sps_read != rhs.sps_read) return false; > ++ > ++ if(lhs.video_parameter_set_id != rhs.video_parameter_set_id) return > false; > ++ if(lhs.sps_max_sub_layers != rhs.sps_max_sub_layers) return false; > ++ if(lhs.sps_temporal_id_nesting_flag != > rhs.sps_temporal_id_nesting_flag) return false; > ++ > ++ if(!isEqual(lhs.profile_tier_level_, rhs.profile_tier_level_, > lhs.sps_max_sub_layers)) return false; > ++ > ++ if(lhs.seq_parameter_set_id != rhs.seq_parameter_set_id) return false; > ++ if(lhs.chroma_format_idc != rhs.chroma_format_idc) return false; > ++ > ++ if(lhs.separate_colour_plane_flag != rhs.separate_colour_plane_flag) > return false; > ++ if(lhs.pic_width_in_luma_samples != rhs.pic_width_in_luma_samples) > return false; > ++ if(lhs.pic_height_in_luma_samples != rhs.pic_height_in_luma_samples) > return false; > ++ if(lhs.conformance_window_flag != rhs.conformance_window_flag) return > false; > ++ > ++ if(lhs.conformance_window_flag) { > ++ if(lhs.conf_win_left_offset != rhs.conf_win_left_offset) return > false; > ++ if(lhs.conf_win_right_offset != rhs.conf_win_right_offset) > return false; > ++ if(lhs.conf_win_top_offset != rhs.conf_win_top_offset) return > false; > ++ if(lhs.conf_win_bottom_offset != rhs.conf_win_bottom_offset) > return false; > ++ } > ++ > ++ if(lhs.bit_depth_luma != rhs.bit_depth_luma) return false; > ++ if(lhs.bit_depth_chroma != rhs.bit_depth_chroma) return false; > ++ > ++ if(lhs.log2_max_pic_order_cnt_lsb != rhs.log2_max_pic_order_cnt_lsb) > return false; > ++ if(lhs.sps_sub_layer_ordering_info_present_flag != > rhs.sps_sub_layer_ordering_info_present_flag) return false; > ++ > ++ if(memcmp(lhs.sps_max_dec_pic_buffering, rhs.sps_max_dec_pic_buffering, > sizeof(rhs.sps_max_dec_pic_buffering))) return false; > ++ if(memcmp(lhs.sps_max_num_reorder_pics, rhs.sps_max_num_reorder_pics, > sizeof(rhs.sps_max_num_reorder_pics))) return false; > ++ if(memcmp(lhs.sps_max_latency_increase_plus1, > rhs.sps_max_latency_increase_plus1, > sizeof(rhs.sps_max_latency_increase_plus1))) return false; > ++ > ++ if(lhs.log2_min_luma_coding_block_size != > rhs.log2_min_luma_coding_block_size) return false; > ++ if(lhs.log2_diff_max_min_luma_coding_block_size != > rhs.log2_diff_max_min_luma_coding_block_size) return false; > ++ if(lhs.log2_min_transform_block_size != > rhs.log2_min_transform_block_size) return false; > ++ if(lhs.log2_diff_max_min_transform_block_size != > rhs.log2_diff_max_min_transform_block_size) return false; > ++ if(lhs.max_transform_hierarchy_depth_inter != > rhs.max_transform_hierarchy_depth_inter) return false; > ++ if(lhs.max_transform_hierarchy_depth_intra != > rhs.max_transform_hierarchy_depth_intra) return false; > ++ > ++ if(lhs.scaling_list_enable_flag != rhs.scaling_list_enable_flag) return > false; > ++ if(lhs.scaling_list_enable_flag) { > ++ if(lhs.sps_scaling_list_data_present_flag != > rhs.sps_scaling_list_data_present_flag) return false; > ++ if(lhs.sps_scaling_list_data_present_flag) { > ++ // compare only needed if present, otherwise it is the > default scaling list. > ++ if(memcmp(&lhs.scaling_list, &rhs.scaling_list, > sizeof(rhs.scaling_list))) return false; > ++ } > ++ } > ++ > ++ if(lhs.amp_enabled_flag != rhs.amp_enabled_flag) return false; > ++ if(lhs.sample_adaptive_offset_enabled_flag != > rhs.sample_adaptive_offset_enabled_flag) return false; > ++ if(lhs.pcm_enabled_flag != rhs.pcm_enabled_flag) return false; > ++ > ++ if(lhs.pcm_enabled_flag) { > ++ if(lhs.pcm_sample_bit_depth_luma != > rhs.pcm_sample_bit_depth_luma) return false; > ++ if(lhs.pcm_sample_bit_depth_chroma != > rhs.pcm_sample_bit_depth_chroma) return false; > ++ if(lhs.log2_min_pcm_luma_coding_block_size != > rhs.log2_min_pcm_luma_coding_block_size) return false; > ++ if(lhs.log2_diff_max_min_pcm_luma_coding_block_size != > rhs.log2_diff_max_min_pcm_luma_coding_block_size) return false; > ++ if(lhs.pcm_loop_filter_disable_flag != > rhs.pcm_loop_filter_disable_flag) return false; > ++ } > ++ > ++ // (longterm) reference pics likely to change with a new sps, so > ignored here. > ++ > ++ if(lhs.sps_temporal_mvp_enabled_flag != > rhs.sps_temporal_mvp_enabled_flag) return false; > ++ if(lhs.strong_intra_smoothing_enable_flag != > rhs.strong_intra_smoothing_enable_flag) return false; > ++ > ++ if(lhs.vui_parameters_present_flag != rhs.vui_parameters_present_flag) > return false; > ++ if(lhs.vui_parameters_present_flag) { > ++ if(!isEqual(lhs.vui, rhs.vui, lhs )) return false; > ++ } > ++ > ++ if(lhs.sps_extension_present_flag != rhs.sps_extension_present_flag ) > return false; > ++ if(lhs.sps_extension_present_flag) { > ++ if(lhs.sps_range_extension_flag != rhs.sps_range_extension_flag > ) return false; > ++ if(lhs.sps_multilayer_extension_flag != > rhs.sps_multilayer_extension_flag ) return false; > ++ if(lhs.sps_extension_6bits != rhs.sps_extension_6bits ) return > false; > ++ if(lhs.range_extension != rhs.range_extension) return false; > ++ } > ++ > ++ return true; > ++} > ++ > + de265_error decoder_context::read_sps_NAL(bitreader& reader) > + { > + logdebug(LogHeaders,"----> read SPS\n"); > +@@ -560,6 +817,22 @@ de265_error decoder_context::read_sps_NAL(bitreader& > reader) > + new_sps->dump(param_sps_headers_fd); > + } > + > ++ if ( sps[ new_sps->seq_parameter_set_id ] ) { > ++ auto old_sps = sps[ new_sps->seq_parameter_set_id ].get(); > ++ if ( *old_sps == *new_sps ) { > ++ // printf(" **** keeping sps *****\n"); > ++ // the new sps is identical to the old one, so no replacing > needed. > ++ // however, reference pics and long-term reference pics might > need updating. > ++ old_sps->ref_pic_sets = new_sps->ref_pic_sets; > ++ old_sps->long_term_ref_pics_present_flag = > new_sps->long_term_ref_pics_present_flag; > ++ memcpy(old_sps->lt_ref_pic_poc_lsb_sps, > new_sps->lt_ref_pic_poc_lsb_sps, sizeof(old_sps->lt_ref_pic_poc_lsb_sps)); > ++ memcpy(old_sps->used_by_curr_pic_lt_sps_flag, > new_sps->used_by_curr_pic_lt_sps_flag, > sizeof(old_sps->used_by_curr_pic_lt_sps_flag)); > ++ return DE265_OK; > ++ } > ++ //printf(" **** replacing sps *****\n"); > ++ > ++ } > ++ > + sps[ new_sps->seq_parameter_set_id ] = new_sps; > + > + // Remove the all PPS that referenced the old SPS because parameters may > have changed and we do not want to > +diff --git a/libde265/sps.cc b/libde265/sps.cc > +index f1c28255..31ce9470 100644 > +--- a/libde265/sps.cc > ++++ b/libde265/sps.cc > +@@ -287,6 +287,11 @@ de265_error seq_parameter_set::read(error_queue* > errqueue, bitreader* br) > + int firstLayer = (sps_sub_layer_ordering_info_present_flag ? > + 0 : sps_max_sub_layers-1 ); > + > ++ // zero out so that comparing is easier. > ++ memset(sps_max_dec_pic_buffering, 0 , sizeof(sps_max_dec_pic_buffering)); > ++ memset(sps_max_num_reorder_pics, 0 , sizeof(sps_max_num_reorder_pics)); > ++ memset(sps_max_latency_increase_plus1, 0 , > sizeof(sps_max_latency_increase_plus1)); > ++ > + for (int i=firstLayer ; i <= sps_max_sub_layers-1; i++ ) { > + > + // sps_max_dec_pic_buffering[i] > +@@ -347,6 +352,7 @@ de265_error seq_parameter_set::read(error_queue* > errqueue, bitreader* br) > + if (sps_scaling_list_data_present_flag) { > + > + de265_error err; > ++ memset(&scaling_list, 0 , sizeof(scaling_list)); // zero out, so > that memcmp will do it to check for equality. > + if ((err=read_scaling_list(br,this, &scaling_list, false)) != > DE265_OK) { > + return err; > + } > diff -Nru > libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch > libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch > --- > libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch > 2023-01-21 16:25:57.000000000 +0100 > @@ -0,0 +1,54 @@ > +Description: Try to mitigate asan failures by rejecting reference pictures > not created with the same sps. > + The reference images might have different parameters (size, pixel depth, > etc) and so different memory allocations, > + leading to out of bound memory reads and writes. > +Origin: https://github.com/strukturag/libde265/pull/365 > +Comment: Analysis of issue > https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079 > +From 97dd15303085eae2695a511717bf3239e209df96 Mon Sep 17 00:00:00 2001 > +From: Tobias Frost <t...@debian.org> > +Date: Mon, 12 Dec 2022 14:03:12 +0100 > +Subject: [PATCH] Try to mitigate asan failures. > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +See #345 for my analysis and details… > + > +(This PR is just for discussion.) > + > +(The CVE references are obtained from the Debian security tracker, > +which links the issues.) > + > +This makes the following POCs stop failing: > + > +- poc3 (#337) > +- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2) > +- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1) > +- poc11-1, poc11-2 (#345) CVE-2022-43249 > +- poc12 (#346) > +- poc13 (#347) CVE-2022-43252 > +- poc16 (#350) > +--- > + libde265/motion.cc | 10 ++++++++++ > + 1 file changed, 10 insertions(+) > + > +diff --git a/libde265/motion.cc b/libde265/motion.cc > +index 8bbfbde0..1d20bcd3 100644 > +--- a/libde265/motion.cc > ++++ b/libde265/motion.cc > +@@ -348,6 +348,16 @@ void generate_inter_prediction_samples(base_context* > ctx, > + > + logtrace(LogMotion, "refIdx: %d -> dpb[%d]\n", vi->refIdx[l], > shdr->RefPicList[l][vi->refIdx[l]]); > + > ++ if (refPic) { > ++ auto nonconst_refPic = const_cast<de265_image*>(refPic); /* > shared_ptr.get() chokes on const.*/ > ++ auto refsps = nonconst_refPic->get_shared_sps().get(); > ++ auto imgsps = img->get_shared_sps().get(); > ++ if(refsps != imgsps) { > ++ // rejecting reference image created with different sps. > ++ refPic = nullptr; > ++ } > ++ } > ++ > + if (!refPic || refPic->PicState == UnusedForReference) { > + img->integrity = INTEGRITY_DECODING_ERRORS; > + > ctx->add_warning(DE265_WARNING_NONEXISTING_REFERENCE_PICTURE_ACCESSED, false); > diff -Nru libde265-1.0.9/debian/patches/series > libde265-1.0.9/debian/patches/series > --- libde265-1.0.9/debian/patches/series 2022-10-25 10:15:37.000000000 > +0200 > +++ libde265-1.0.9/debian/patches/series 2023-01-21 17:19:52.000000000 > +0100 > @@ -1,3 +1,6 @@ > only_export_decoder_api.patch > disable_tools.patch > m4-visibility.patch > +reject_reference_pics_from_different_sps.patch > +use_sps_from_the_image.patch > +recycle_sps_if_possible.patch > diff -Nru libde265-1.0.9/debian/patches/use_sps_from_the_image.patch > libde265-1.0.9/debian/patches/use_sps_from_the_image.patch > --- libde265-1.0.9/debian/patches/use_sps_from_the_image.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ libde265-1.0.9/debian/patches/use_sps_from_the_image.patch > 2023-01-21 16:37:03.000000000 +0100 > @@ -0,0 +1,62 @@ > +Description: Use sps of the image, not the sps of the pic parameter set (pps) > + When decoding a slice, all decoding functions are using the sps of the > target > + image to determine the image properties, which are in the seqquence > parameter > + set) -- execpt generate_inter_prediction_samples(), which uses the sps from > the > + pps, which might have different properties and trick the decode to > out-of-bound > + memory accesses, leading to crashes. > +Origin: https://github.com/strukturag/libde265/pull/366 > +From 36391cda3d4e4fb3269a2ce310e6e0f634729f0b Mon Sep 17 00:00:00 2001 > +From: Tobias Frost <t...@debian.org> > +Date: Mon, 12 Dec 2022 14:33:40 +0100 > +Subject: [PATCH] Use the sps from the image > + > +(as e.g mc_chroma is using the sps to determine > +picture properties, like pic_width_in_luma_samples > +and pic_height_in_luma_samples, I *think* this is > +more correct. > + > +This PR is for discussion. (See #345.) > +It makes the failures go away, but that does not mean it's correct :) > + > +The following poc will be stop failing if (only) this > +patch is applied: > + > + - poc2 #336 - CVE-2022-43238 > + - poc4 #338 - CVE-2022-43241 > + - poc6-1, poc6-2 #340 - CVE-2022-43242 > + - poc7-1, poc7-2 #341 - CVE-2022-43239 > + - poc8-1 #342 - CVE-2022-43244 > + - poc9-3 #343 - CVE-2022-43236 > + - poc10-2, poc10-3 #344 - CVE-2022-43237 > + - poc16 #350 > + - poc19 #353 > + > +The following are still failing if only this patch is > +applied, but they stop failing if #365 is applied as well, but will > +still fail with ONLY #365 applied (IOW, both are needed) > + > + - poc1 #335 - CVE-2022-43240 > + - poc3 #337 - CVE-2022-43235 > + - poc5 #339 - CVE-2022-43423 > + - poc9-1,poc9-2, poc9-4 #343 - CVE-2022-43236 > + - poc14 #348 - CVE-2022-43253 > + - poc15 #349 - CVE-2022-43248 > + - poc17-1, poc17-2 #351 > + - poc18 #352 - CVE-2022-43245 > +--- > + libde265/motion.cc | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/libde265/motion.cc b/libde265/motion.cc > +index 8bbfbde0..89d5a167 100644 > +--- a/libde265/motion.cc > ++++ b/libde265/motion.cc > +@@ -290,7 +290,7 @@ void generate_inter_prediction_samples(base_context* ctx, > + int stride[3]; > + > + const pic_parameter_set* pps = shdr->pps.get(); > +- const seq_parameter_set* sps = pps->sps.get(); > ++ const seq_parameter_set* sps = img->get_shared_sps().get(); > + > + const int SubWidthC = sps->SubWidthC; > + const int SubHeightC = sps->SubHeightC; -- Sebastian Ramacher
