h265parser: Fix possible overflow using max_sub_layers_minus1

This fixes a possible overflow that can be triggered by an invalid value of max_sub_layers_minus1 being set in the bitstream. The bitstream uses 3 bits, but the allowed range is 0 to 6 only. Fixes ZDI-CAN-21768, CVE-2023-40476 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2895 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5364>
2025-03-29 12:25:37 +00:00 · 2023-08-09 12:49:19 -04:00 · 2023-08-09 12:49:19 -04:00 · ff91a3d8d6
commit ff91a3d8d6
parent 9cbe9a52fe
1 changed files with 2 additions and 0 deletions
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
@ -1886,6 +1886,7 @@ gst_h265_parse_vps (GstH265NalUnit * nalu, GstH265VPS * vps)

  READ_UINT8 (&nr, vps->max_layers_minus1, 6);
  READ_UINT8 (&nr, vps->max_sub_layers_minus1, 3);
+  CHECK_ALLOWED (vps->max_sub_layers_minus1, 0, 6);
  READ_UINT8 (&nr, vps->temporal_id_nesting_flag, 1);

  /* skip reserved_0xffff_16bits */
@ -2056,6 +2057,7 @@ gst_h265_parse_sps (GstH265Parser * parser, GstH265NalUnit * nalu,
  READ_UINT8 (&nr, sps->vps_id, 4);

  READ_UINT8 (&nr, sps->max_sub_layers_minus1, 3);
+  CHECK_ALLOWED (sps->max_sub_layers_minus1, 0, 6);
  READ_UINT8 (&nr, sps->temporal_id_nesting_flag, 1);

  if (!gst_h265_parse_profile_tier_level (&sps->profile_tier_level, &nr,