Bug#1029401: libde265: diff for NMU version 1.0.9-1.1

To: submit@bugs.debian.org
Subject: Bug#1029401: libde265: diff for NMU version 1.0.9-1.1
From: Tobias Frost <tobi@debian.org>
Date: Sun, 22 Jan 2023 13:30:00 +0100
Message-id: <[🔎] Y80sSJfDHlEOHUqh@isildor.loewenhoehle.ip>
Reply-to: Tobias Frost <tobi@debian.org>, 1029401@bugs.debian.org

Package: libde265
Version: 1.0.9-1
Severity: normal
Tags: patch  pending


Dear maintainer,

I've prepared an NMU for libde265 (versioned as 1.0.9-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru libde265-1.0.9/debian/changelog libde265-1.0.9/debian/changelog
--- libde265-1.0.9/debian/changelog	2022-10-25 10:15:37.000000000 +0200
+++ libde265-1.0.9/debian/changelog	2023-01-22 13:19:20.000000000 +0100
@@ -1,7 +1,35 @@
+libde265 (1.0.9-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply patches to mitigate asan failures:
+    reject_reference_pics_from_different_sps.patch and
+    use_sps_from_the_image.patch.
+  * Combined, this two patches fixes:
+    - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816)
+    - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238,
+      CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242,
+      CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179)
+    - CVE-2022-47655
+  * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting
+    valid video streams due to reject_reference_pics_from_different_sps.patch.
+  * Modifying past changelog entries to indicate when vulnerabilities were
+    fixed:
+    - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999
+    - In 1.0.3-1, 1 CVE, see #1029396
+  * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev
+    (Closes: #981260)
+
+ -- Tobias Frost <tobi@debian.org>  Sun, 22 Jan 2023 13:19:20 +0100
+
 libde265 (1.0.9-1) unstable; urgency=medium
 
   * Add "Rules-Requires-Root: no".
-  * New upstream version 1.0.9
+  * New upstream version 1.0.9.
+    Bisecting shows that this version fixed this CVES:
+     - CVE-2020-21598, CVE-2020-21600, CVE-2020-21602 (Closes: #1004963)
+     - CVE-2020-21595, CVE-2020-21597, CVE-2020-21599, CVE-2020-21601,
+       CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606
+       (Closes: #1014999)
   * Remove patches now part of upstream release.
   * Bump "Standards-Version" to 4.6.1
   * Add patch to provide "gl_VISIBILITY" macro.
@@ -78,6 +106,7 @@
 
   [ Joachim Bauch ]
   * Imported Upstream version 1.0.3
+    This version fixes CVE-2020-21594. (Closes: #1029396)
   * Update patches for new upstream version.
   * Update symbols for new upstream version.
   * Update standards version and switch to debhelper 10.
diff -Nru libde265-1.0.9/debian/control libde265-1.0.9/debian/control
--- libde265-1.0.9/debian/control	2022-10-25 10:15:37.000000000 +0200
+++ libde265-1.0.9/debian/control	2023-01-22 13:04:40.000000000 +0100
@@ -7,14 +7,11 @@
  Joachim Bauch <bauch@struktur.de>
 Build-Depends:
  debhelper-compat (= 13),
- libjpeg-dev,
- libpng-dev,
  qtbase5-dev | libqt4-dev,
  libsdl-dev,
  libswscale-dev,
  libx11-dev,
  libxext-dev,
- libxv-dev,
  pkg-config
 Rules-Requires-Root: no
 Standards-Version: 4.6.1
diff -Nru libde265-1.0.9/debian/.gitlab-ci.yml libde265-1.0.9/debian/.gitlab-ci.yml
--- libde265-1.0.9/debian/.gitlab-ci.yml	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.9/debian/.gitlab-ci.yml	2023-01-21 18:01:58.000000000 +0100
@@ -0,0 +1,3 @@
+include:
+  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml
+
diff -Nru libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch
--- libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch	2023-01-22 13:19:20.000000000 +0100
@@ -0,0 +1,340 @@
+Description: Don't update sps if they are only repeated
+Origin: https://github.com/strukturag/libde265/pull/372
+From 51f07f132f29832e025a8b913b61cbd20257c5fc Mon Sep 17 00:00:00 2001
+From: Tobias Frost <tobi@debian.org>
+Date: Fri, 13 Jan 2023 12:22:45 +0100
+Subject: [PATCH] Don't update sps if they are only repeated
+
+This is an attempt to improve the mitigations from #365 and #366 and picks up an idea I described at #345:
+
+> One way would be just to look at the pointers of the SPS (fast and easy, but
+> may reject more than required), or investigate if the SPS used for the image
+> generations are "compatible".
+
+This changes do exactly this: It (very conservativly) checks if the old and new sps have
+identical information -- except the reference picture set, which I believe is supposed
+to be updated by new sps'). If they are basically identical, the old sps will be
+used instead of the new one, (of course, reference image set is updated from the new one)
+
+I'm using standalone operator== and helper functions to avoid changing ABI of the library;
+if an ABI bump would be done, of course this should go to the respective classes.
+---
+ libde265/decctx.cc | 273 +++++++++++++++++++++++++++++++++++++++++++++
+ libde265/sps.cc    |   6 +
+ 2 files changed, 279 insertions(+)
+
+diff --git a/libde265/decctx.cc b/libde265/decctx.cc
+index 6701725f..0000b25d 100644
+--- a/libde265/decctx.cc
++++ b/libde265/decctx.cc
+@@ -545,6 +545,263 @@ de265_error decoder_context::read_vps_NAL(bitreader& reader)
+   return DE265_OK;
+ }
+ 
++// implemented as freestanding functions to avoid changing API
++
++bool operator==(const profile_data &lhs, const profile_data &rhs) {
++	if(&lhs == &rhs) return true;
++	if(lhs.profile_present_flag != rhs.profile_present_flag ) return false;
++	if(lhs.profile_present_flag) {
++		if(lhs.profile_space != rhs.profile_space ) return false;
++		if(lhs.tier_flag != rhs.tier_flag ) return false;
++		if(lhs.profile_idc != rhs.profile_idc ) return false;
++
++		if(memcmp(lhs.profile_compatibility_flag, rhs.profile_compatibility_flag, sizeof(rhs.profile_compatibility_flag)) ) return false;
++
++		if(lhs.progressive_source_flag != rhs.progressive_source_flag ) return false;
++		if(lhs.interlaced_source_flag != rhs.interlaced_source_flag ) return false;
++		if(lhs.non_packed_constraint_flag != rhs.non_packed_constraint_flag ) return false;
++		if(lhs.frame_only_constraint_flag != rhs.frame_only_constraint_flag ) return false;
++	}
++
++	if(lhs.level_present_flag != rhs.level_present_flag) return false;
++	if(lhs.level_present_flag && lhs.level_idc != rhs.level_idc ) return false;
++
++	return true;
++}
++
++bool operator!=(const profile_data &lhs, const profile_data &rhs) {
++	if(&lhs == &rhs) return false;
++	return (!(lhs==rhs));
++}
++
++// class does not store max_sub_layers, so operator == cannot be done.
++bool isEqual(const profile_tier_level &lhs , const profile_tier_level &rhs,  int sps_max_sub_layers ) {
++	if(&lhs == &rhs) return true;
++
++	if(lhs.general != rhs.general ) return false;
++	for(int i = 0 ; i < sps_max_sub_layers; i++ ) {
++		if(lhs.sub_layer[i] != rhs.sub_layer[i]) return false;
++	}
++	return true;
++}
++
++bool isEqual(const video_usability_information &lhs, const video_usability_information &rhs, const seq_parameter_set &sps) {
++	if(&lhs == &rhs) return true;
++
++	// not seen yet if(lhs.nal_hrd_parameters_present_flag != rhs.nal_hrd_parameters_present_flag ) return false;
++
++	// populated by video_usability_information::read()
++	if(lhs.aspect_ratio_info_present_flag != rhs.aspect_ratio_info_present_flag ) return false;
++	if(lhs.aspect_ratio_info_present_flag) {
++		if(lhs.sar_width != rhs.sar_width ) return false;
++		if(lhs.sar_height != rhs.sar_height ) return false;
++	}
++
++	if(lhs.overscan_info_present_flag != rhs.overscan_info_present_flag ) return false;
++	if(lhs.overscan_info_present_flag) {
++		if(lhs.overscan_appropriate_flag != rhs.overscan_appropriate_flag ) return false;
++	}
++
++	if(lhs.video_signal_type_present_flag != rhs.video_signal_type_present_flag ) return false;
++	if(lhs.video_signal_type_present_flag) {
++		if(lhs.video_format != rhs.video_format ) return false;
++		if(lhs.video_full_range_flag != rhs.video_full_range_flag) return false;
++		if(lhs.colour_description_present_flag != rhs.colour_description_present_flag) return false;
++		if(lhs.colour_primaries != rhs.colour_primaries ) return false;
++		if(lhs.transfer_characteristics != rhs.transfer_characteristics ) return false;
++		if(lhs.matrix_coeffs != rhs.matrix_coeffs ) return false;
++	}
++
++	if(lhs.chroma_loc_info_present_flag != rhs.chroma_loc_info_present_flag ) return false;
++	if(lhs.chroma_loc_info_present_flag) {
++		if(lhs.chroma_sample_loc_type_top_field != rhs.chroma_sample_loc_type_top_field ) return false;
++		if(lhs.chroma_sample_loc_type_bottom_field != rhs.chroma_sample_loc_type_bottom_field ) return false;
++	}
++	if(lhs.neutral_chroma_indication_flag != rhs.neutral_chroma_indication_flag ) return false;
++	if(lhs.field_seq_flag != rhs.field_seq_flag ) return false;
++	if(lhs.frame_field_info_present_flag != rhs.frame_field_info_present_flag ) return false;
++
++	if(lhs.default_display_window_flag != rhs.default_display_window_flag ) return false;
++	if(lhs.default_display_window_flag) {
++		if(lhs.def_disp_win_left_offset != rhs.def_disp_win_left_offset ) return false;
++		if(lhs.def_disp_win_right_offset != rhs.def_disp_win_right_offset ) return false;
++		if(lhs.def_disp_win_top_offset != rhs.def_disp_win_top_offset ) return false;
++		if(lhs.def_disp_win_bottom_offset != rhs.def_disp_win_bottom_offset ) return false;
++	}
++
++	if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false;
++	if(lhs.vui_timing_info_present_flag) {
++		if(lhs.vui_num_units_in_tick != rhs.vui_num_units_in_tick ) return false;
++		if(lhs.vui_time_scale != rhs.vui_time_scale ) return false;
++		if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false;
++		if(lhs.vui_timing_info_present_flag) {
++			if(lhs.vui_num_ticks_poc_diff_one != rhs.vui_num_ticks_poc_diff_one ) return false;
++		}
++	}
++
++	if(lhs.vui_hrd_parameters_present_flag != rhs.vui_hrd_parameters_present_flag ) return false;
++
++
++	if(lhs.vui_hrd_parameters_present_flag) {
++		// check things made by hrd_parametes
++
++		if(lhs.vui_hrd_parameters_present_flag != rhs.vui_hrd_parameters_present_flag ) return false;
++		if(lhs.vcl_hrd_parameters_present_flag != rhs.vcl_hrd_parameters_present_flag ) return false;
++
++		if(lhs.nal_hrd_parameters_present_flag || lhs.vcl_hrd_parameters_present_flag) {
++			if(lhs.sub_pic_hrd_params_present_flag != rhs.sub_pic_hrd_params_present_flag ) return false;
++			if(lhs.sub_pic_hrd_params_present_flag) {
++				if(lhs.tick_divisor_minus2 != rhs.tick_divisor_minus2 ) return false;
++				if(lhs.du_cpb_removal_delay_increment_length_minus1 != rhs.du_cpb_removal_delay_increment_length_minus1 ) return false;
++				if(lhs.sub_pic_cpb_params_in_pic_timing_sei_flag != rhs.sub_pic_cpb_params_in_pic_timing_sei_flag ) return false;
++				if(lhs.dpb_output_delay_du_length_minus1 != rhs.dpb_output_delay_du_length_minus1 ) return false;
++			}
++			if(lhs.bit_rate_scale != rhs.bit_rate_scale ) return false;
++			if(lhs.cpb_size_scale != rhs.cpb_size_scale ) return false;
++			if(lhs.sub_pic_hrd_params_present_flag) {
++				if(lhs.cpb_size_du_scale != rhs.cpb_size_du_scale ) return false;
++			}
++			if(lhs.initial_cpb_removal_delay_length_minus1 != rhs.initial_cpb_removal_delay_length_minus1 ) return false;
++			if(lhs.au_cpb_removal_delay_length_minus1 != rhs.au_cpb_removal_delay_length_minus1 ) return false;
++			if(lhs.dpb_output_delay_length_minus1 != rhs.dpb_output_delay_length_minus1 ) return false;
++		}
++
++		int  i;
++		unsigned int  j, nalOrVcl;
++
++		for (i = 0; i < sps.sps_max_sub_layers; i++) {
++			if(lhs.fixed_pic_rate_general_flag[i] != rhs.fixed_pic_rate_general_flag[i] ) return false;
++			if(lhs.fixed_pic_rate_general_flag[i]) {
++				if(lhs.elemental_duration_in_tc_minus1[i] != rhs.elemental_duration_in_tc_minus1[i] ) return false;
++			}
++			if(lhs.low_delay_hrd_flag[i] != rhs.low_delay_hrd_flag[i] ) return false;
++			if(lhs.cpb_cnt_minus1[i] != rhs.cpb_cnt_minus1[i] ) return false;
++
++			for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++) {
++				if (((nalOrVcl == 0) && lhs.nal_hrd_parameters_present_flag) || ((nalOrVcl == 1) && lhs.vcl_hrd_parameters_present_flag)) {
++					for (j = 0; j <= lhs.cpb_cnt_minus1[i]; j++) {
++						if(lhs.bit_rate_value_minus1[i][j][nalOrVcl] != rhs.bit_rate_value_minus1[i][j][nalOrVcl]) return false;
++						if(lhs.cpb_size_value_minus1[i][j][nalOrVcl] != rhs.cpb_size_value_minus1[i][j][nalOrVcl]) return false;
++
++						if (lhs.sub_pic_hrd_params_present_flag) {
++							if(lhs.cpb_size_du_value_minus1[i][j][nalOrVcl] != rhs.cpb_size_du_value_minus1[i][j][nalOrVcl]) return false;
++							if(lhs.bit_rate_du_value_minus1[i][j][nalOrVcl] != rhs.bit_rate_du_value_minus1[i][j][nalOrVcl]) return false;
++						}
++						if( lhs.cbr_flag[i][j][nalOrVcl] != rhs.cbr_flag[i][j][nalOrVcl]) return false;
++					}
++				}
++			}
++		}
++	}
++	return true;
++}
++
++bool operator==(const sps_range_extension &lhs, const sps_range_extension &rhs) {
++	if(&lhs == &rhs) return true;
++    if(lhs.transform_skip_rotation_enabled_flag != rhs.transform_skip_rotation_enabled_flag ) return false;
++    if(lhs.transform_skip_context_enabled_flag != rhs.transform_skip_context_enabled_flag ) return false;
++    if(lhs.implicit_rdpcm_enabled_flag != rhs.implicit_rdpcm_enabled_flag ) return false;
++    if(lhs.explicit_rdpcm_enabled_flag != rhs.explicit_rdpcm_enabled_flag ) return false;
++    if(lhs.extended_precision_processing_flag != rhs.extended_precision_processing_flag ) return false;
++    if(lhs.intra_smoothing_disabled_flag != rhs.intra_smoothing_disabled_flag ) return false;
++    if(lhs.high_precision_offsets_enabled_flag != rhs.high_precision_offsets_enabled_flag ) return false;
++    if(lhs.persistent_rice_adaptation_enabled_flag != rhs.persistent_rice_adaptation_enabled_flag ) return false;
++    if(lhs.cabac_bypass_alignment_enabled_flag != rhs.cabac_bypass_alignment_enabled_flag ) return false;
++	return true;
++}
++
++bool operator!=(const sps_range_extension &lhs, const sps_range_extension &rhs) {
++	if(&lhs == &rhs) return false;
++	return !(lhs==rhs);
++}
++
++
++bool operator==(const seq_parameter_set &lhs, const seq_parameter_set &rhs) {
++
++	if(&lhs== &rhs) return true;
++
++	if(lhs.sps_read != rhs.sps_read) return false;
++
++	if(lhs.video_parameter_set_id != rhs.video_parameter_set_id) return false;
++	if(lhs.sps_max_sub_layers != rhs.sps_max_sub_layers) return false;
++	if(lhs.sps_temporal_id_nesting_flag != rhs.sps_temporal_id_nesting_flag) return false;
++
++	if(!isEqual(lhs.profile_tier_level_, rhs.profile_tier_level_, lhs.sps_max_sub_layers)) return false;
++
++	if(lhs.seq_parameter_set_id != rhs.seq_parameter_set_id) return false;
++	if(lhs.chroma_format_idc != rhs.chroma_format_idc) return false;
++
++	if(lhs.separate_colour_plane_flag != rhs.separate_colour_plane_flag) return false;
++	if(lhs.pic_width_in_luma_samples != rhs.pic_width_in_luma_samples) return false;
++	if(lhs.pic_height_in_luma_samples != rhs.pic_height_in_luma_samples) return false;
++	if(lhs.conformance_window_flag != rhs.conformance_window_flag) return false;
++
++	if(lhs.conformance_window_flag) {
++		if(lhs.conf_win_left_offset != rhs.conf_win_left_offset) return false;
++		if(lhs.conf_win_right_offset != rhs.conf_win_right_offset) return false;
++		if(lhs.conf_win_top_offset != rhs.conf_win_top_offset) return false;
++		if(lhs.conf_win_bottom_offset != rhs.conf_win_bottom_offset) return false;
++	}
++
++	if(lhs.bit_depth_luma != rhs.bit_depth_luma) return false;
++	if(lhs.bit_depth_chroma != rhs.bit_depth_chroma) return false;
++
++	if(lhs.log2_max_pic_order_cnt_lsb != rhs.log2_max_pic_order_cnt_lsb) return false;
++	if(lhs.sps_sub_layer_ordering_info_present_flag != rhs.sps_sub_layer_ordering_info_present_flag) return false;
++
++	if(memcmp(lhs.sps_max_dec_pic_buffering, rhs.sps_max_dec_pic_buffering, sizeof(rhs.sps_max_dec_pic_buffering))) return false;
++	if(memcmp(lhs.sps_max_num_reorder_pics, rhs.sps_max_num_reorder_pics,  sizeof(rhs.sps_max_num_reorder_pics))) return false;
++	if(memcmp(lhs.sps_max_latency_increase_plus1, rhs.sps_max_latency_increase_plus1,  sizeof(rhs.sps_max_latency_increase_plus1))) return false;
++
++	if(lhs.log2_min_luma_coding_block_size != rhs.log2_min_luma_coding_block_size) return false;
++	if(lhs.log2_diff_max_min_luma_coding_block_size != rhs.log2_diff_max_min_luma_coding_block_size) return false;
++	if(lhs.log2_min_transform_block_size != rhs.log2_min_transform_block_size) return false;
++	if(lhs.log2_diff_max_min_transform_block_size != rhs.log2_diff_max_min_transform_block_size) return false;
++	if(lhs.max_transform_hierarchy_depth_inter != rhs.max_transform_hierarchy_depth_inter) return false;
++	if(lhs.max_transform_hierarchy_depth_intra != rhs.max_transform_hierarchy_depth_intra) return false;
++
++	if(lhs.scaling_list_enable_flag != rhs.scaling_list_enable_flag) return false;
++	if(lhs.scaling_list_enable_flag) {
++		if(lhs.sps_scaling_list_data_present_flag != rhs.sps_scaling_list_data_present_flag) return false;
++		if(lhs.sps_scaling_list_data_present_flag) {
++			// compare only needed if present, otherwise it is the default scaling list.
++			if(memcmp(&lhs.scaling_list, &rhs.scaling_list, sizeof(rhs.scaling_list))) return false;
++		}
++	}
++
++	if(lhs.amp_enabled_flag != rhs.amp_enabled_flag) return false;
++	if(lhs.sample_adaptive_offset_enabled_flag != rhs.sample_adaptive_offset_enabled_flag) return false;
++	if(lhs.pcm_enabled_flag != rhs.pcm_enabled_flag) return false;
++
++	if(lhs.pcm_enabled_flag) {
++		if(lhs.pcm_sample_bit_depth_luma != rhs.pcm_sample_bit_depth_luma) return false;
++		if(lhs.pcm_sample_bit_depth_chroma != rhs.pcm_sample_bit_depth_chroma) return false;
++		if(lhs.log2_min_pcm_luma_coding_block_size != rhs.log2_min_pcm_luma_coding_block_size) return false;
++		if(lhs.log2_diff_max_min_pcm_luma_coding_block_size != rhs.log2_diff_max_min_pcm_luma_coding_block_size) return false;
++		if(lhs.pcm_loop_filter_disable_flag != rhs.pcm_loop_filter_disable_flag) return false;
++	}
++
++	// (longterm) reference pics likely to change with a new sps, so ignored here.
++
++	if(lhs.sps_temporal_mvp_enabled_flag != rhs.sps_temporal_mvp_enabled_flag) return false;
++	if(lhs.strong_intra_smoothing_enable_flag != rhs.strong_intra_smoothing_enable_flag) return false;
++
++	if(lhs.vui_parameters_present_flag != rhs.vui_parameters_present_flag) return false;
++	if(lhs.vui_parameters_present_flag) {
++		if(!isEqual(lhs.vui, rhs.vui, lhs )) return false;
++	}
++
++	if(lhs.sps_extension_present_flag != rhs.sps_extension_present_flag ) return false;
++	if(lhs.sps_extension_present_flag) {
++		if(lhs.sps_range_extension_flag != rhs.sps_range_extension_flag ) return false;
++		if(lhs.sps_multilayer_extension_flag != rhs.sps_multilayer_extension_flag ) return false;
++		if(lhs.sps_extension_6bits != rhs.sps_extension_6bits ) return false;
++		if(lhs.range_extension != rhs.range_extension) return false;
++	}
++
++	return true;
++}
++
+ de265_error decoder_context::read_sps_NAL(bitreader& reader)
+ {
+   logdebug(LogHeaders,"----> read SPS\n");
+@@ -560,6 +817,22 @@ de265_error decoder_context::read_sps_NAL(bitreader& reader)
+     new_sps->dump(param_sps_headers_fd);
+   }
+ 
++  if ( sps[ new_sps->seq_parameter_set_id ] ) {
++	  auto old_sps = sps[ new_sps->seq_parameter_set_id ].get();
++	  if ( *old_sps == *new_sps ) {
++		  // printf(" **** keeping sps *****\n");
++		  // the new sps is identical to the old one, so no replacing needed.
++		  // however, reference pics and long-term reference pics might need updating.
++		  old_sps->ref_pic_sets = new_sps->ref_pic_sets;
++		  old_sps->long_term_ref_pics_present_flag = new_sps->long_term_ref_pics_present_flag;
++		  memcpy(old_sps->lt_ref_pic_poc_lsb_sps, new_sps->lt_ref_pic_poc_lsb_sps,  sizeof(old_sps->lt_ref_pic_poc_lsb_sps));
++		  memcpy(old_sps->used_by_curr_pic_lt_sps_flag, new_sps->used_by_curr_pic_lt_sps_flag,  sizeof(old_sps->used_by_curr_pic_lt_sps_flag));
++		  return DE265_OK;
++	  }
++	  //printf(" **** replacing sps *****\n");
++
++  }
++
+   sps[ new_sps->seq_parameter_set_id ] = new_sps;
+ 
+   // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to
+diff --git a/libde265/sps.cc b/libde265/sps.cc
+index f1c28255..31ce9470 100644
+--- a/libde265/sps.cc
++++ b/libde265/sps.cc
+@@ -287,6 +287,11 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
+   int firstLayer = (sps_sub_layer_ordering_info_present_flag ?
+                     0 : sps_max_sub_layers-1 );
+ 
++  // zero out so that comparing is easier.
++  memset(sps_max_dec_pic_buffering, 0 , sizeof(sps_max_dec_pic_buffering));
++  memset(sps_max_num_reorder_pics, 0 , sizeof(sps_max_num_reorder_pics));
++  memset(sps_max_latency_increase_plus1, 0 , sizeof(sps_max_latency_increase_plus1));
++
+   for (int i=firstLayer ; i <= sps_max_sub_layers-1; i++ ) {
+ 
+     // sps_max_dec_pic_buffering[i]
+@@ -347,6 +352,7 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
+     if (sps_scaling_list_data_present_flag) {
+ 
+       de265_error err;
++      memset(&scaling_list, 0 , sizeof(scaling_list));  // zero out, so that memcmp will do it to check for equality.
+       if ((err=read_scaling_list(br,this, &scaling_list, false)) != DE265_OK) {
+         return err;
+       }
diff -Nru libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch
--- libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch	2023-01-21 16:25:57.000000000 +0100
@@ -0,0 +1,54 @@
+Description: Try to mitigate asan failures by rejecting reference pictures not created with the same sps.
+ The reference images might have different parameters (size, pixel depth, etc) and so different memory allocations,
+ leading to out of bound memory reads and writes.
+Origin: https://github.com/strukturag/libde265/pull/365
+Comment: Analysis of issue https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079
+From 97dd15303085eae2695a511717bf3239e209df96 Mon Sep 17 00:00:00 2001
+From: Tobias Frost <tobi@debian.org>
+Date: Mon, 12 Dec 2022 14:03:12 +0100
+Subject: [PATCH] Try to mitigate asan failures.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+See #345 for my analysis and details…
+
+(This PR is just for discussion.)
+
+(The CVE references are obtained from the Debian security tracker,
+which links the issues.)
+
+This makes the following POCs stop failing:
+
+- poc3 (#337)
+- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2)
+- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244   (note: does NOT fix poc8-1)
+- poc11-1, poc11-2 (#345) CVE-2022-43249
+- poc12 (#346)
+- poc13 (#347) CVE-2022-43252
+- poc16 (#350)
+---
+ libde265/motion.cc | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/libde265/motion.cc b/libde265/motion.cc
+index 8bbfbde0..1d20bcd3 100644
+--- a/libde265/motion.cc
++++ b/libde265/motion.cc
+@@ -348,6 +348,16 @@ void generate_inter_prediction_samples(base_context* ctx,
+ 
+       logtrace(LogMotion, "refIdx: %d -> dpb[%d]\n", vi->refIdx[l], shdr->RefPicList[l][vi->refIdx[l]]);
+ 
++      if (refPic) {
++          auto nonconst_refPic = const_cast<de265_image*>(refPic); /* shared_ptr.get() chokes on const.*/
++          auto refsps = nonconst_refPic->get_shared_sps().get();
++          auto imgsps = img->get_shared_sps().get();
++          if(refsps != imgsps) {
++              // rejecting reference image created with different sps.
++              refPic = nullptr;
++          }
++      }
++
+       if (!refPic || refPic->PicState == UnusedForReference) {
+         img->integrity = INTEGRITY_DECODING_ERRORS;
+         ctx->add_warning(DE265_WARNING_NONEXISTING_REFERENCE_PICTURE_ACCESSED, false);
diff -Nru libde265-1.0.9/debian/patches/series libde265-1.0.9/debian/patches/series
--- libde265-1.0.9/debian/patches/series	2022-10-25 10:15:37.000000000 +0200
+++ libde265-1.0.9/debian/patches/series	2023-01-21 17:19:52.000000000 +0100
@@ -1,3 +1,6 @@
 only_export_decoder_api.patch
 disable_tools.patch
 m4-visibility.patch
+reject_reference_pics_from_different_sps.patch
+use_sps_from_the_image.patch
+recycle_sps_if_possible.patch
diff -Nru libde265-1.0.9/debian/patches/use_sps_from_the_image.patch libde265-1.0.9/debian/patches/use_sps_from_the_image.patch
--- libde265-1.0.9/debian/patches/use_sps_from_the_image.patch	1970-01-01 01:00:00.000000000 +0100
+++ libde265-1.0.9/debian/patches/use_sps_from_the_image.patch	2023-01-21 16:37:03.000000000 +0100
@@ -0,0 +1,62 @@
+Description: Use sps of the image, not the sps of the pic parameter set (pps)
+ When decoding a slice, all decoding functions are using the sps of the target
+ image to determine the image properties, which are in the seqquence parameter
+ set) -- execpt generate_inter_prediction_samples(), which uses the sps from the
+ pps, which might have different properties and trick the decode to out-of-bound
+ memory accesses, leading to crashes.
+Origin: https://github.com/strukturag/libde265/pull/366
+From 36391cda3d4e4fb3269a2ce310e6e0f634729f0b Mon Sep 17 00:00:00 2001
+From: Tobias Frost <tobi@debian.org>
+Date: Mon, 12 Dec 2022 14:33:40 +0100
+Subject: [PATCH] Use the sps from the image
+
+(as e.g mc_chroma is using the sps to determine
+picture properties, like pic_width_in_luma_samples
+and pic_height_in_luma_samples, I *think* this is
+more correct.
+
+This PR is for discussion. (See #345.)
+It makes the failures go away, but that does not mean it's correct :)
+
+The following poc will be stop failing if (only) this
+patch is applied:
+
+ - poc2  #336 - CVE-2022-43238
+ - poc4  #338 - CVE-2022-43241
+ - poc6-1, poc6-2 #340 - CVE-2022-43242
+ - poc7-1, poc7-2  #341 - CVE-2022-43239
+ - poc8-1 #342 - CVE-2022-43244
+ - poc9-3 #343 - CVE-2022-43236
+ - poc10-2, poc10-3 #344 - CVE-2022-43237
+ - poc16 #350
+ - poc19 #353
+
+The following are still failing if only this patch is
+applied, but they stop failing if #365 is applied as well, but will
+still fail with ONLY #365 applied (IOW, both are needed)
+
+ - poc1  #335 - CVE-2022-43240
+ - poc3  #337 - CVE-2022-43235
+ - poc5   #339 - CVE-2022-43423
+ - poc9-1,poc9-2, poc9-4  #343 - CVE-2022-43236
+ - poc14  #348 - CVE-2022-43253
+ - poc15  #349 - CVE-2022-43248
+ - poc17-1, poc17-2  #351
+ - poc18 #352 - CVE-2022-43245
+---
+ libde265/motion.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libde265/motion.cc b/libde265/motion.cc
+index 8bbfbde0..89d5a167 100644
+--- a/libde265/motion.cc
++++ b/libde265/motion.cc
+@@ -290,7 +290,7 @@ void generate_inter_prediction_samples(base_context* ctx,
+   int    stride[3];
+ 
+   const pic_parameter_set* pps = shdr->pps.get();
+-  const seq_parameter_set* sps = pps->sps.get();
++  const seq_parameter_set* sps = img->get_shared_sps().get();
+ 
+   const int SubWidthC  = sps->SubWidthC;
+   const int SubHeightC = sps->SubHeightC;

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1029401: libde265: diff for NMU version 1.0.9-1.1
  - From: Sebastian Ramacher <sramacher@debian.org>
- Bug#1029401: marked as done (libde265: diff for NMU version 1.0.9-1.1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: tagging 1029357
Next by Date: Bug#1029401: libde265: diff for NMU version 1.0.9-1.1
Previous by thread: Processed: tagging 1029357
Next by thread: Bug#1029401: libde265: diff for NMU version 1.0.9-1.1
Index(es):
- Date
- Thread