Your message dated Sun, 22 Jan 2023 15:05:06 +0100 with message-id <Y81CkqsOwlBTdYLl@ramacher.at> and subject line Re: Bug#1029401: libde265: diff for NMU version 1.0.9-1.1 has caused the Debian Bug report #1029401, regarding libde265: diff for NMU version 1.0.9-1.1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1029401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029401 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: libde265: diff for NMU version 1.0.9-1.1
- From: Tobias Frost <tobi@debian.org>
- Date: Sun, 22 Jan 2023 13:30:00 +0100
- Message-id: <[🔎] Y80sSJfDHlEOHUqh@isildor.loewenhoehle.ip>
Package: libde265 Version: 1.0.9-1 Severity: normal Tags: patch pending Dear maintainer, I've prepared an NMU for libde265 (versioned as 1.0.9-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards.diff -Nru libde265-1.0.9/debian/changelog libde265-1.0.9/debian/changelog --- libde265-1.0.9/debian/changelog 2022-10-25 10:15:37.000000000 +0200 +++ libde265-1.0.9/debian/changelog 2023-01-22 13:19:20.000000000 +0100 @@ -1,7 +1,35 @@ +libde265 (1.0.9-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Apply patches to mitigate asan failures: + reject_reference_pics_from_different_sps.patch and + use_sps_from_the_image.patch. + * Combined, this two patches fixes: + - CVE-2022-43243, CVE-2022-43248, CVE-2022-43253 (Closes: #1025816) + - CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43238, + CVE-2022-43239, CVE-2022-43240, CVE-2022-43241, CVE-2022-43242, + CVE-2022-43244, CVE-2022-43250, CVE-2022-43252 (Closes: #1027179) + - CVE-2022-47655 + * Additional patch recycle_sps_if_possible.patch to avoid over-rejecting + valid video streams due to reject_reference_pics_from_different_sps.patch. + * Modifying past changelog entries to indicate when vulnerabilities were + fixed: + - In 1.0.9-1, in total 11 CVE's. see #1004963 and #1014999 + - In 1.0.3-1, 1 CVE, see #1029396 + * drop unused Build-Depends: libjpeg-dev, libpng-dev and libxv-dev + (Closes: #981260) + + -- Tobias Frost <tobi@debian.org> Sun, 22 Jan 2023 13:19:20 +0100 + libde265 (1.0.9-1) unstable; urgency=medium * Add "Rules-Requires-Root: no". - * New upstream version 1.0.9 + * New upstream version 1.0.9. + Bisecting shows that this version fixed this CVES: + - CVE-2020-21598, CVE-2020-21600, CVE-2020-21602 (Closes: #1004963) + - CVE-2020-21595, CVE-2020-21597, CVE-2020-21599, CVE-2020-21601, + CVE-2020-21603, CVE-2020-21604, CVE-2020-21605, CVE-2020-21606 + (Closes: #1014999) * Remove patches now part of upstream release. * Bump "Standards-Version" to 4.6.1 * Add patch to provide "gl_VISIBILITY" macro. @@ -78,6 +106,7 @@ [ Joachim Bauch ] * Imported Upstream version 1.0.3 + This version fixes CVE-2020-21594. (Closes: #1029396) * Update patches for new upstream version. * Update symbols for new upstream version. * Update standards version and switch to debhelper 10. diff -Nru libde265-1.0.9/debian/control libde265-1.0.9/debian/control --- libde265-1.0.9/debian/control 2022-10-25 10:15:37.000000000 +0200 +++ libde265-1.0.9/debian/control 2023-01-22 13:04:40.000000000 +0100 @@ -7,14 +7,11 @@ Joachim Bauch <bauch@struktur.de> Build-Depends: debhelper-compat (= 13), - libjpeg-dev, - libpng-dev, qtbase5-dev | libqt4-dev, libsdl-dev, libswscale-dev, libx11-dev, libxext-dev, - libxv-dev, pkg-config Rules-Requires-Root: no Standards-Version: 4.6.1 diff -Nru libde265-1.0.9/debian/.gitlab-ci.yml libde265-1.0.9/debian/.gitlab-ci.yml --- libde265-1.0.9/debian/.gitlab-ci.yml 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.9/debian/.gitlab-ci.yml 2023-01-21 18:01:58.000000000 +0100 @@ -0,0 +1,3 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + diff -Nru libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch --- libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.9/debian/patches/recycle_sps_if_possible.patch 2023-01-22 13:19:20.000000000 +0100 @@ -0,0 +1,340 @@ +Description: Don't update sps if they are only repeated +Origin: https://github.com/strukturag/libde265/pull/372 +From 51f07f132f29832e025a8b913b61cbd20257c5fc Mon Sep 17 00:00:00 2001 +From: Tobias Frost <tobi@debian.org> +Date: Fri, 13 Jan 2023 12:22:45 +0100 +Subject: [PATCH] Don't update sps if they are only repeated + +This is an attempt to improve the mitigations from #365 and #366 and picks up an idea I described at #345: + +> One way would be just to look at the pointers of the SPS (fast and easy, but +> may reject more than required), or investigate if the SPS used for the image +> generations are "compatible". + +This changes do exactly this: It (very conservativly) checks if the old and new sps have +identical information -- except the reference picture set, which I believe is supposed +to be updated by new sps'). If they are basically identical, the old sps will be +used instead of the new one, (of course, reference image set is updated from the new one) + +I'm using standalone operator== and helper functions to avoid changing ABI of the library; +if an ABI bump would be done, of course this should go to the respective classes. +--- + libde265/decctx.cc | 273 +++++++++++++++++++++++++++++++++++++++++++++ + libde265/sps.cc | 6 + + 2 files changed, 279 insertions(+) + +diff --git a/libde265/decctx.cc b/libde265/decctx.cc +index 6701725f..0000b25d 100644 +--- a/libde265/decctx.cc ++++ b/libde265/decctx.cc +@@ -545,6 +545,263 @@ de265_error decoder_context::read_vps_NAL(bitreader& reader) + return DE265_OK; + } + ++// implemented as freestanding functions to avoid changing API ++ ++bool operator==(const profile_data &lhs, const profile_data &rhs) { ++ if(&lhs == &rhs) return true; ++ if(lhs.profile_present_flag != rhs.profile_present_flag ) return false; ++ if(lhs.profile_present_flag) { ++ if(lhs.profile_space != rhs.profile_space ) return false; ++ if(lhs.tier_flag != rhs.tier_flag ) return false; ++ if(lhs.profile_idc != rhs.profile_idc ) return false; ++ ++ if(memcmp(lhs.profile_compatibility_flag, rhs.profile_compatibility_flag, sizeof(rhs.profile_compatibility_flag)) ) return false; ++ ++ if(lhs.progressive_source_flag != rhs.progressive_source_flag ) return false; ++ if(lhs.interlaced_source_flag != rhs.interlaced_source_flag ) return false; ++ if(lhs.non_packed_constraint_flag != rhs.non_packed_constraint_flag ) return false; ++ if(lhs.frame_only_constraint_flag != rhs.frame_only_constraint_flag ) return false; ++ } ++ ++ if(lhs.level_present_flag != rhs.level_present_flag) return false; ++ if(lhs.level_present_flag && lhs.level_idc != rhs.level_idc ) return false; ++ ++ return true; ++} ++ ++bool operator!=(const profile_data &lhs, const profile_data &rhs) { ++ if(&lhs == &rhs) return false; ++ return (!(lhs==rhs)); ++} ++ ++// class does not store max_sub_layers, so operator == cannot be done. ++bool isEqual(const profile_tier_level &lhs , const profile_tier_level &rhs, int sps_max_sub_layers ) { ++ if(&lhs == &rhs) return true; ++ ++ if(lhs.general != rhs.general ) return false; ++ for(int i = 0 ; i < sps_max_sub_layers; i++ ) { ++ if(lhs.sub_layer[i] != rhs.sub_layer[i]) return false; ++ } ++ return true; ++} ++ ++bool isEqual(const video_usability_information &lhs, const video_usability_information &rhs, const seq_parameter_set &sps) { ++ if(&lhs == &rhs) return true; ++ ++ // not seen yet if(lhs.nal_hrd_parameters_present_flag != rhs.nal_hrd_parameters_present_flag ) return false; ++ ++ // populated by video_usability_information::read() ++ if(lhs.aspect_ratio_info_present_flag != rhs.aspect_ratio_info_present_flag ) return false; ++ if(lhs.aspect_ratio_info_present_flag) { ++ if(lhs.sar_width != rhs.sar_width ) return false; ++ if(lhs.sar_height != rhs.sar_height ) return false; ++ } ++ ++ if(lhs.overscan_info_present_flag != rhs.overscan_info_present_flag ) return false; ++ if(lhs.overscan_info_present_flag) { ++ if(lhs.overscan_appropriate_flag != rhs.overscan_appropriate_flag ) return false; ++ } ++ ++ if(lhs.video_signal_type_present_flag != rhs.video_signal_type_present_flag ) return false; ++ if(lhs.video_signal_type_present_flag) { ++ if(lhs.video_format != rhs.video_format ) return false; ++ if(lhs.video_full_range_flag != rhs.video_full_range_flag) return false; ++ if(lhs.colour_description_present_flag != rhs.colour_description_present_flag) return false; ++ if(lhs.colour_primaries != rhs.colour_primaries ) return false; ++ if(lhs.transfer_characteristics != rhs.transfer_characteristics ) return false; ++ if(lhs.matrix_coeffs != rhs.matrix_coeffs ) return false; ++ } ++ ++ if(lhs.chroma_loc_info_present_flag != rhs.chroma_loc_info_present_flag ) return false; ++ if(lhs.chroma_loc_info_present_flag) { ++ if(lhs.chroma_sample_loc_type_top_field != rhs.chroma_sample_loc_type_top_field ) return false; ++ if(lhs.chroma_sample_loc_type_bottom_field != rhs.chroma_sample_loc_type_bottom_field ) return false; ++ } ++ if(lhs.neutral_chroma_indication_flag != rhs.neutral_chroma_indication_flag ) return false; ++ if(lhs.field_seq_flag != rhs.field_seq_flag ) return false; ++ if(lhs.frame_field_info_present_flag != rhs.frame_field_info_present_flag ) return false; ++ ++ if(lhs.default_display_window_flag != rhs.default_display_window_flag ) return false; ++ if(lhs.default_display_window_flag) { ++ if(lhs.def_disp_win_left_offset != rhs.def_disp_win_left_offset ) return false; ++ if(lhs.def_disp_win_right_offset != rhs.def_disp_win_right_offset ) return false; ++ if(lhs.def_disp_win_top_offset != rhs.def_disp_win_top_offset ) return false; ++ if(lhs.def_disp_win_bottom_offset != rhs.def_disp_win_bottom_offset ) return false; ++ } ++ ++ if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false; ++ if(lhs.vui_timing_info_present_flag) { ++ if(lhs.vui_num_units_in_tick != rhs.vui_num_units_in_tick ) return false; ++ if(lhs.vui_time_scale != rhs.vui_time_scale ) return false; ++ if(lhs.vui_timing_info_present_flag != rhs.vui_timing_info_present_flag ) return false; ++ if(lhs.vui_timing_info_present_flag) { ++ if(lhs.vui_num_ticks_poc_diff_one != rhs.vui_num_ticks_poc_diff_one ) return false; ++ } ++ } ++ ++ if(lhs.vui_hrd_parameters_present_flag != rhs.vui_hrd_parameters_present_flag ) return false; ++ ++ ++ if(lhs.vui_hrd_parameters_present_flag) { ++ // check things made by hrd_parametes ++ ++ if(lhs.vui_hrd_parameters_present_flag != rhs.vui_hrd_parameters_present_flag ) return false; ++ if(lhs.vcl_hrd_parameters_present_flag != rhs.vcl_hrd_parameters_present_flag ) return false; ++ ++ if(lhs.nal_hrd_parameters_present_flag || lhs.vcl_hrd_parameters_present_flag) { ++ if(lhs.sub_pic_hrd_params_present_flag != rhs.sub_pic_hrd_params_present_flag ) return false; ++ if(lhs.sub_pic_hrd_params_present_flag) { ++ if(lhs.tick_divisor_minus2 != rhs.tick_divisor_minus2 ) return false; ++ if(lhs.du_cpb_removal_delay_increment_length_minus1 != rhs.du_cpb_removal_delay_increment_length_minus1 ) return false; ++ if(lhs.sub_pic_cpb_params_in_pic_timing_sei_flag != rhs.sub_pic_cpb_params_in_pic_timing_sei_flag ) return false; ++ if(lhs.dpb_output_delay_du_length_minus1 != rhs.dpb_output_delay_du_length_minus1 ) return false; ++ } ++ if(lhs.bit_rate_scale != rhs.bit_rate_scale ) return false; ++ if(lhs.cpb_size_scale != rhs.cpb_size_scale ) return false; ++ if(lhs.sub_pic_hrd_params_present_flag) { ++ if(lhs.cpb_size_du_scale != rhs.cpb_size_du_scale ) return false; ++ } ++ if(lhs.initial_cpb_removal_delay_length_minus1 != rhs.initial_cpb_removal_delay_length_minus1 ) return false; ++ if(lhs.au_cpb_removal_delay_length_minus1 != rhs.au_cpb_removal_delay_length_minus1 ) return false; ++ if(lhs.dpb_output_delay_length_minus1 != rhs.dpb_output_delay_length_minus1 ) return false; ++ } ++ ++ int i; ++ unsigned int j, nalOrVcl; ++ ++ for (i = 0; i < sps.sps_max_sub_layers; i++) { ++ if(lhs.fixed_pic_rate_general_flag[i] != rhs.fixed_pic_rate_general_flag[i] ) return false; ++ if(lhs.fixed_pic_rate_general_flag[i]) { ++ if(lhs.elemental_duration_in_tc_minus1[i] != rhs.elemental_duration_in_tc_minus1[i] ) return false; ++ } ++ if(lhs.low_delay_hrd_flag[i] != rhs.low_delay_hrd_flag[i] ) return false; ++ if(lhs.cpb_cnt_minus1[i] != rhs.cpb_cnt_minus1[i] ) return false; ++ ++ for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++) { ++ if (((nalOrVcl == 0) && lhs.nal_hrd_parameters_present_flag) || ((nalOrVcl == 1) && lhs.vcl_hrd_parameters_present_flag)) { ++ for (j = 0; j <= lhs.cpb_cnt_minus1[i]; j++) { ++ if(lhs.bit_rate_value_minus1[i][j][nalOrVcl] != rhs.bit_rate_value_minus1[i][j][nalOrVcl]) return false; ++ if(lhs.cpb_size_value_minus1[i][j][nalOrVcl] != rhs.cpb_size_value_minus1[i][j][nalOrVcl]) return false; ++ ++ if (lhs.sub_pic_hrd_params_present_flag) { ++ if(lhs.cpb_size_du_value_minus1[i][j][nalOrVcl] != rhs.cpb_size_du_value_minus1[i][j][nalOrVcl]) return false; ++ if(lhs.bit_rate_du_value_minus1[i][j][nalOrVcl] != rhs.bit_rate_du_value_minus1[i][j][nalOrVcl]) return false; ++ } ++ if( lhs.cbr_flag[i][j][nalOrVcl] != rhs.cbr_flag[i][j][nalOrVcl]) return false; ++ } ++ } ++ } ++ } ++ } ++ return true; ++} ++ ++bool operator==(const sps_range_extension &lhs, const sps_range_extension &rhs) { ++ if(&lhs == &rhs) return true; ++ if(lhs.transform_skip_rotation_enabled_flag != rhs.transform_skip_rotation_enabled_flag ) return false; ++ if(lhs.transform_skip_context_enabled_flag != rhs.transform_skip_context_enabled_flag ) return false; ++ if(lhs.implicit_rdpcm_enabled_flag != rhs.implicit_rdpcm_enabled_flag ) return false; ++ if(lhs.explicit_rdpcm_enabled_flag != rhs.explicit_rdpcm_enabled_flag ) return false; ++ if(lhs.extended_precision_processing_flag != rhs.extended_precision_processing_flag ) return false; ++ if(lhs.intra_smoothing_disabled_flag != rhs.intra_smoothing_disabled_flag ) return false; ++ if(lhs.high_precision_offsets_enabled_flag != rhs.high_precision_offsets_enabled_flag ) return false; ++ if(lhs.persistent_rice_adaptation_enabled_flag != rhs.persistent_rice_adaptation_enabled_flag ) return false; ++ if(lhs.cabac_bypass_alignment_enabled_flag != rhs.cabac_bypass_alignment_enabled_flag ) return false; ++ return true; ++} ++ ++bool operator!=(const sps_range_extension &lhs, const sps_range_extension &rhs) { ++ if(&lhs == &rhs) return false; ++ return !(lhs==rhs); ++} ++ ++ ++bool operator==(const seq_parameter_set &lhs, const seq_parameter_set &rhs) { ++ ++ if(&lhs== &rhs) return true; ++ ++ if(lhs.sps_read != rhs.sps_read) return false; ++ ++ if(lhs.video_parameter_set_id != rhs.video_parameter_set_id) return false; ++ if(lhs.sps_max_sub_layers != rhs.sps_max_sub_layers) return false; ++ if(lhs.sps_temporal_id_nesting_flag != rhs.sps_temporal_id_nesting_flag) return false; ++ ++ if(!isEqual(lhs.profile_tier_level_, rhs.profile_tier_level_, lhs.sps_max_sub_layers)) return false; ++ ++ if(lhs.seq_parameter_set_id != rhs.seq_parameter_set_id) return false; ++ if(lhs.chroma_format_idc != rhs.chroma_format_idc) return false; ++ ++ if(lhs.separate_colour_plane_flag != rhs.separate_colour_plane_flag) return false; ++ if(lhs.pic_width_in_luma_samples != rhs.pic_width_in_luma_samples) return false; ++ if(lhs.pic_height_in_luma_samples != rhs.pic_height_in_luma_samples) return false; ++ if(lhs.conformance_window_flag != rhs.conformance_window_flag) return false; ++ ++ if(lhs.conformance_window_flag) { ++ if(lhs.conf_win_left_offset != rhs.conf_win_left_offset) return false; ++ if(lhs.conf_win_right_offset != rhs.conf_win_right_offset) return false; ++ if(lhs.conf_win_top_offset != rhs.conf_win_top_offset) return false; ++ if(lhs.conf_win_bottom_offset != rhs.conf_win_bottom_offset) return false; ++ } ++ ++ if(lhs.bit_depth_luma != rhs.bit_depth_luma) return false; ++ if(lhs.bit_depth_chroma != rhs.bit_depth_chroma) return false; ++ ++ if(lhs.log2_max_pic_order_cnt_lsb != rhs.log2_max_pic_order_cnt_lsb) return false; ++ if(lhs.sps_sub_layer_ordering_info_present_flag != rhs.sps_sub_layer_ordering_info_present_flag) return false; ++ ++ if(memcmp(lhs.sps_max_dec_pic_buffering, rhs.sps_max_dec_pic_buffering, sizeof(rhs.sps_max_dec_pic_buffering))) return false; ++ if(memcmp(lhs.sps_max_num_reorder_pics, rhs.sps_max_num_reorder_pics, sizeof(rhs.sps_max_num_reorder_pics))) return false; ++ if(memcmp(lhs.sps_max_latency_increase_plus1, rhs.sps_max_latency_increase_plus1, sizeof(rhs.sps_max_latency_increase_plus1))) return false; ++ ++ if(lhs.log2_min_luma_coding_block_size != rhs.log2_min_luma_coding_block_size) return false; ++ if(lhs.log2_diff_max_min_luma_coding_block_size != rhs.log2_diff_max_min_luma_coding_block_size) return false; ++ if(lhs.log2_min_transform_block_size != rhs.log2_min_transform_block_size) return false; ++ if(lhs.log2_diff_max_min_transform_block_size != rhs.log2_diff_max_min_transform_block_size) return false; ++ if(lhs.max_transform_hierarchy_depth_inter != rhs.max_transform_hierarchy_depth_inter) return false; ++ if(lhs.max_transform_hierarchy_depth_intra != rhs.max_transform_hierarchy_depth_intra) return false; ++ ++ if(lhs.scaling_list_enable_flag != rhs.scaling_list_enable_flag) return false; ++ if(lhs.scaling_list_enable_flag) { ++ if(lhs.sps_scaling_list_data_present_flag != rhs.sps_scaling_list_data_present_flag) return false; ++ if(lhs.sps_scaling_list_data_present_flag) { ++ // compare only needed if present, otherwise it is the default scaling list. ++ if(memcmp(&lhs.scaling_list, &rhs.scaling_list, sizeof(rhs.scaling_list))) return false; ++ } ++ } ++ ++ if(lhs.amp_enabled_flag != rhs.amp_enabled_flag) return false; ++ if(lhs.sample_adaptive_offset_enabled_flag != rhs.sample_adaptive_offset_enabled_flag) return false; ++ if(lhs.pcm_enabled_flag != rhs.pcm_enabled_flag) return false; ++ ++ if(lhs.pcm_enabled_flag) { ++ if(lhs.pcm_sample_bit_depth_luma != rhs.pcm_sample_bit_depth_luma) return false; ++ if(lhs.pcm_sample_bit_depth_chroma != rhs.pcm_sample_bit_depth_chroma) return false; ++ if(lhs.log2_min_pcm_luma_coding_block_size != rhs.log2_min_pcm_luma_coding_block_size) return false; ++ if(lhs.log2_diff_max_min_pcm_luma_coding_block_size != rhs.log2_diff_max_min_pcm_luma_coding_block_size) return false; ++ if(lhs.pcm_loop_filter_disable_flag != rhs.pcm_loop_filter_disable_flag) return false; ++ } ++ ++ // (longterm) reference pics likely to change with a new sps, so ignored here. ++ ++ if(lhs.sps_temporal_mvp_enabled_flag != rhs.sps_temporal_mvp_enabled_flag) return false; ++ if(lhs.strong_intra_smoothing_enable_flag != rhs.strong_intra_smoothing_enable_flag) return false; ++ ++ if(lhs.vui_parameters_present_flag != rhs.vui_parameters_present_flag) return false; ++ if(lhs.vui_parameters_present_flag) { ++ if(!isEqual(lhs.vui, rhs.vui, lhs )) return false; ++ } ++ ++ if(lhs.sps_extension_present_flag != rhs.sps_extension_present_flag ) return false; ++ if(lhs.sps_extension_present_flag) { ++ if(lhs.sps_range_extension_flag != rhs.sps_range_extension_flag ) return false; ++ if(lhs.sps_multilayer_extension_flag != rhs.sps_multilayer_extension_flag ) return false; ++ if(lhs.sps_extension_6bits != rhs.sps_extension_6bits ) return false; ++ if(lhs.range_extension != rhs.range_extension) return false; ++ } ++ ++ return true; ++} ++ + de265_error decoder_context::read_sps_NAL(bitreader& reader) + { + logdebug(LogHeaders,"----> read SPS\n"); +@@ -560,6 +817,22 @@ de265_error decoder_context::read_sps_NAL(bitreader& reader) + new_sps->dump(param_sps_headers_fd); + } + ++ if ( sps[ new_sps->seq_parameter_set_id ] ) { ++ auto old_sps = sps[ new_sps->seq_parameter_set_id ].get(); ++ if ( *old_sps == *new_sps ) { ++ // printf(" **** keeping sps *****\n"); ++ // the new sps is identical to the old one, so no replacing needed. ++ // however, reference pics and long-term reference pics might need updating. ++ old_sps->ref_pic_sets = new_sps->ref_pic_sets; ++ old_sps->long_term_ref_pics_present_flag = new_sps->long_term_ref_pics_present_flag; ++ memcpy(old_sps->lt_ref_pic_poc_lsb_sps, new_sps->lt_ref_pic_poc_lsb_sps, sizeof(old_sps->lt_ref_pic_poc_lsb_sps)); ++ memcpy(old_sps->used_by_curr_pic_lt_sps_flag, new_sps->used_by_curr_pic_lt_sps_flag, sizeof(old_sps->used_by_curr_pic_lt_sps_flag)); ++ return DE265_OK; ++ } ++ //printf(" **** replacing sps *****\n"); ++ ++ } ++ + sps[ new_sps->seq_parameter_set_id ] = new_sps; + + // Remove the all PPS that referenced the old SPS because parameters may have changed and we do not want to +diff --git a/libde265/sps.cc b/libde265/sps.cc +index f1c28255..31ce9470 100644 +--- a/libde265/sps.cc ++++ b/libde265/sps.cc +@@ -287,6 +287,11 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br) + int firstLayer = (sps_sub_layer_ordering_info_present_flag ? + 0 : sps_max_sub_layers-1 ); + ++ // zero out so that comparing is easier. ++ memset(sps_max_dec_pic_buffering, 0 , sizeof(sps_max_dec_pic_buffering)); ++ memset(sps_max_num_reorder_pics, 0 , sizeof(sps_max_num_reorder_pics)); ++ memset(sps_max_latency_increase_plus1, 0 , sizeof(sps_max_latency_increase_plus1)); ++ + for (int i=firstLayer ; i <= sps_max_sub_layers-1; i++ ) { + + // sps_max_dec_pic_buffering[i] +@@ -347,6 +352,7 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br) + if (sps_scaling_list_data_present_flag) { + + de265_error err; ++ memset(&scaling_list, 0 , sizeof(scaling_list)); // zero out, so that memcmp will do it to check for equality. + if ((err=read_scaling_list(br,this, &scaling_list, false)) != DE265_OK) { + return err; + } diff -Nru libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch --- libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.9/debian/patches/reject_reference_pics_from_different_sps.patch 2023-01-21 16:25:57.000000000 +0100 @@ -0,0 +1,54 @@ +Description: Try to mitigate asan failures by rejecting reference pictures not created with the same sps. + The reference images might have different parameters (size, pixel depth, etc) and so different memory allocations, + leading to out of bound memory reads and writes. +Origin: https://github.com/strukturag/libde265/pull/365 +Comment: Analysis of issue https://github.com/strukturag/libde265/issues/345#issuecomment-1346406079 +From 97dd15303085eae2695a511717bf3239e209df96 Mon Sep 17 00:00:00 2001 +From: Tobias Frost <tobi@debian.org> +Date: Mon, 12 Dec 2022 14:03:12 +0100 +Subject: [PATCH] Try to mitigate asan failures. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +See #345 for my analysis and details… + +(This PR is just for discussion.) + +(The CVE references are obtained from the Debian security tracker, +which links the issues.) + +This makes the following POCs stop failing: + +- poc3 (#337) +- poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2) +- poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1) +- poc11-1, poc11-2 (#345) CVE-2022-43249 +- poc12 (#346) +- poc13 (#347) CVE-2022-43252 +- poc16 (#350) +--- + libde265/motion.cc | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/libde265/motion.cc b/libde265/motion.cc +index 8bbfbde0..1d20bcd3 100644 +--- a/libde265/motion.cc ++++ b/libde265/motion.cc +@@ -348,6 +348,16 @@ void generate_inter_prediction_samples(base_context* ctx, + + logtrace(LogMotion, "refIdx: %d -> dpb[%d]\n", vi->refIdx[l], shdr->RefPicList[l][vi->refIdx[l]]); + ++ if (refPic) { ++ auto nonconst_refPic = const_cast<de265_image*>(refPic); /* shared_ptr.get() chokes on const.*/ ++ auto refsps = nonconst_refPic->get_shared_sps().get(); ++ auto imgsps = img->get_shared_sps().get(); ++ if(refsps != imgsps) { ++ // rejecting reference image created with different sps. ++ refPic = nullptr; ++ } ++ } ++ + if (!refPic || refPic->PicState == UnusedForReference) { + img->integrity = INTEGRITY_DECODING_ERRORS; + ctx->add_warning(DE265_WARNING_NONEXISTING_REFERENCE_PICTURE_ACCESSED, false); diff -Nru libde265-1.0.9/debian/patches/series libde265-1.0.9/debian/patches/series --- libde265-1.0.9/debian/patches/series 2022-10-25 10:15:37.000000000 +0200 +++ libde265-1.0.9/debian/patches/series 2023-01-21 17:19:52.000000000 +0100 @@ -1,3 +1,6 @@ only_export_decoder_api.patch disable_tools.patch m4-visibility.patch +reject_reference_pics_from_different_sps.patch +use_sps_from_the_image.patch +recycle_sps_if_possible.patch diff -Nru libde265-1.0.9/debian/patches/use_sps_from_the_image.patch libde265-1.0.9/debian/patches/use_sps_from_the_image.patch --- libde265-1.0.9/debian/patches/use_sps_from_the_image.patch 1970-01-01 01:00:00.000000000 +0100 +++ libde265-1.0.9/debian/patches/use_sps_from_the_image.patch 2023-01-21 16:37:03.000000000 +0100 @@ -0,0 +1,62 @@ +Description: Use sps of the image, not the sps of the pic parameter set (pps) + When decoding a slice, all decoding functions are using the sps of the target + image to determine the image properties, which are in the seqquence parameter + set) -- execpt generate_inter_prediction_samples(), which uses the sps from the + pps, which might have different properties and trick the decode to out-of-bound + memory accesses, leading to crashes. +Origin: https://github.com/strukturag/libde265/pull/366 +From 36391cda3d4e4fb3269a2ce310e6e0f634729f0b Mon Sep 17 00:00:00 2001 +From: Tobias Frost <tobi@debian.org> +Date: Mon, 12 Dec 2022 14:33:40 +0100 +Subject: [PATCH] Use the sps from the image + +(as e.g mc_chroma is using the sps to determine +picture properties, like pic_width_in_luma_samples +and pic_height_in_luma_samples, I *think* this is +more correct. + +This PR is for discussion. (See #345.) +It makes the failures go away, but that does not mean it's correct :) + +The following poc will be stop failing if (only) this +patch is applied: + + - poc2 #336 - CVE-2022-43238 + - poc4 #338 - CVE-2022-43241 + - poc6-1, poc6-2 #340 - CVE-2022-43242 + - poc7-1, poc7-2 #341 - CVE-2022-43239 + - poc8-1 #342 - CVE-2022-43244 + - poc9-3 #343 - CVE-2022-43236 + - poc10-2, poc10-3 #344 - CVE-2022-43237 + - poc16 #350 + - poc19 #353 + +The following are still failing if only this patch is +applied, but they stop failing if #365 is applied as well, but will +still fail with ONLY #365 applied (IOW, both are needed) + + - poc1 #335 - CVE-2022-43240 + - poc3 #337 - CVE-2022-43235 + - poc5 #339 - CVE-2022-43423 + - poc9-1,poc9-2, poc9-4 #343 - CVE-2022-43236 + - poc14 #348 - CVE-2022-43253 + - poc15 #349 - CVE-2022-43248 + - poc17-1, poc17-2 #351 + - poc18 #352 - CVE-2022-43245 +--- + libde265/motion.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libde265/motion.cc b/libde265/motion.cc +index 8bbfbde0..89d5a167 100644 +--- a/libde265/motion.cc ++++ b/libde265/motion.cc +@@ -290,7 +290,7 @@ void generate_inter_prediction_samples(base_context* ctx, + int stride[3]; + + const pic_parameter_set* pps = shdr->pps.get(); +- const seq_parameter_set* sps = pps->sps.get(); ++ const seq_parameter_set* sps = img->get_shared_sps().get(); + + const int SubWidthC = sps->SubWidthC; + const int SubHeightC = sps->SubHeightC;Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Tobias Frost <tobi@debian.org>, 1029401-done@bugs.debian.org
- Subject: Re: Bug#1029401: libde265: diff for NMU version 1.0.9-1.1
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Sun, 22 Jan 2023 15:05:06 +0100
- Message-id: <Y81CkqsOwlBTdYLl@ramacher.at>
- In-reply-to: <[🔎] Y80wvmNz0MiMQrnj@ramacher.at>
- References: <[🔎] Y80sSJfDHlEOHUqh@isildor.loewenhoehle.ip> <[🔎] Y80sSJfDHlEOHUqh@isildor.loewenhoehle.ip> <[🔎] Y80wvmNz0MiMQrnj@ramacher.at>
On 2023-01-22 13:49:02 +0100, Sebastian Ramacher wrote: > On 2023-01-22 13:30:00 +0100, Tobias Frost wrote: > > Package: libde265 > > Version: 1.0.9-1 > > Severity: normal > > Tags: patch pending > > > > > > Dear maintainer, > > > > I've prepared an NMU for libde265 (versioned as 1.0.9-1.1) and > > uploaded it to DELAYED/2. Please feel free to tell me if I > > should delay it longer. > > Thanks for working on the issue. Feel free to directly upload it to > unstable / reschedule to DELAYED/0. … also thanks to the MR. Closing. Cheers -- Sebastian Ramacher
--- End Message ---