From 5463f0e09768ca90aa8c58357c1f4c645db580db Mon Sep 17 00:00:00 2001 From: Seungha Yang Date: Sat, 15 Mar 2025 22:39:44 +0900 Subject: [PATCH 1/2] h265parser: Fix max_dec_pic_buffering_minus1 bound check Allowed max value is MaxDpbSize - 1 Part-of: Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/5463f0e09768ca90aa8c58357c1f4c645db580db] CVE: CVE-2025-3887 Signed-off-by: Vijay Anusuri --- gst-libs/gst/codecparsers/gsth265parser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c index 3db1c38..d02e32d 100644 --- a/gst-libs/gst/codecparsers/gsth265parser.c +++ b/gst-libs/gst/codecparsers/gsth265parser.c @@ -72,6 +72,8 @@ #include #include +#define MAX_DPB_SIZE 16 + #ifndef GST_DISABLE_GST_DEBUG #define GST_CAT_DEFAULT gst_h265_debug_category_get() static GstDebugCategory * @@ -1686,7 +1688,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps) for (i = (vps->sub_layer_ordering_info_present_flag ? 0 : vps->max_sub_layers_minus1); i <= vps->max_sub_layers_minus1; i++) { - READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], G_MAXUINT32 - 1); + READ_UE_MAX (&nr, vps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); READ_UE_MAX (&nr, vps->max_num_reorder_pics[i], vps->max_dec_pic_buffering_minus1[i]); READ_UE_MAX (&nr, vps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); @@ -1882,7 +1884,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu, for (i = (sps->sub_layer_ordering_info_present_flag ? 0 : sps->max_sub_layers_minus1); i <= sps->max_sub_layers_minus1; i++) { - READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], 16); + READ_UE_MAX (&nr, sps->max_dec_pic_buffering_minus1[i], MAX_DPB_SIZE - 1); READ_UE_MAX (&nr, sps->max_num_reorder_pics[i], sps->max_dec_pic_buffering_minus1[i]); READ_UE_MAX (&nr, sps->max_latency_increase_plus1[i], G_MAXUINT32 - 1); -- 2.25.1