From fb6b1e565e19d948dada9270c9b7aa6b3c93700a Mon Sep 17 00:00:00 2001
From: CoprDistGit <infra@openeuler.org>
Date: Mon, 5 Aug 2024 02:22:27 +0000
Subject: automatic import of gstreamer1-plugins-bad-free

---
 ...Fix-possible-overflow-using-max_sub_layer.patch | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch

(limited to '0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch')

diff --git a/0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch b/0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
new file mode 100644
index 0000000..fa91de3
--- /dev/null
+++ b/0004-h265parser-Fix-possible-overflow-using-max_sub_layer.patch
@@ -0,0 +1,42 @@
+From 6780451f22c87e926ebf60fe55e1a9e10517f6d1 Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Wed, 9 Aug 2023 12:49:19 -0400
+Subject: [PATCH 4/4] h265parser: Fix possible overflow using
+ max_sub_layers_minus1
+
+This fixes a possible overflow that can be triggered by an invalid value of
+max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits,
+but the allowed range is 0 to 6 only.
+
+Fixes ZDI-CAN-21768, CVE-2023-40476
+
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
+---
+ .../gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c   | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
+index fe775a86cd..44b723737a 100644
+--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
++++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1845,6 +1845,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)
+ 
+   READ_UINT8 (&nr, vps->max_layers_minus1, 6);
+   READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);
+ 
+   /* skip reserved_0xffff_16bits */
+@@ -2015,6 +2016,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
+   READ_UINT8 (&nr, sps->vps_id, 4);
+ 
+   READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
++  CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
+   READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);
+ 
+   if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,
+-- 
+2.43.0
+
-- 
cgit v1.2.3