h265parser: Fix num_long_term_pics bound check

As defined in the spec 7.4.7.1, calculates allowed maximum value of num_long_term_pics Fixes ZDI-CAN-26596 Fixes: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4285 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8884>
2025-03-15 23:48:52 +09:00 · 2025-03-15 23:48:52 +09:00 · d0e18d6353
commit d0e18d6353
parent b33ba2f264
1 changed files with 36 additions and 2 deletions
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth265parser.c
@ -2807,6 +2807,8 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
      READ_UINT8 (&nr, slice->colour_plane_id, 2);

    if (!GST_H265_IS_NAL_TYPE_IDR (nalu->type)) {
+      const GstH265ShortTermRefPicSet *ref_pic_sets = NULL;
+
      READ_UINT16 (&nr, slice->pic_order_cnt_lsb,
          (sps->log2_max_pic_order_cnt_lsb_minus4 + 4));

@ -2823,24 +2825,56 @@ gst_h265_parser_parse_slice_hdr (GstH265Parser * parser,
        slice->short_term_ref_pic_set_size =
            (nal_reader_get_pos (&nr) - pos) -
            (8 * (nal_reader_get_epb_count (&nr) - epb_pos));
+
+        ref_pic_sets = &slice->short_term_ref_pic_sets;
      } else if (sps->num_short_term_ref_pic_sets > 1) {
        /*  7.4.7.1 short_term_ref_pic_set_idx */
        const guint n = gst_util_ceil_log2 (sps->num_short_term_ref_pic_sets);
        READ_UINT8 (&nr, slice->short_term_ref_pic_set_idx, n);
        CHECK_ALLOWED_MAX (slice->short_term_ref_pic_set_idx,
            sps->num_short_term_ref_pic_sets - 1);
+        ref_pic_sets =
+            &sps->short_term_ref_pic_set[slice->short_term_ref_pic_set_idx];
+      } else {
+        ref_pic_sets = &sps->short_term_ref_pic_set[0];
      }

      if (sps->long_term_ref_pics_present_flag) {
        guint32 limit;
        guint pos = nal_reader_get_pos (&nr);
        guint epb_pos = nal_reader_get_epb_count (&nr);
+        gint max_num_long_term_pics = 0;
+        gint TwoVersionsOfCurrDecPicFlag = 0;

-        if (sps->num_long_term_ref_pics_sps > 0)
+        if (sps->num_long_term_ref_pics_sps > 0) {
          READ_UE_MAX (&nr, slice->num_long_term_sps,
              sps->num_long_term_ref_pics_sps);
+        }

-        READ_UE_MAX (&nr, slice->num_long_term_pics, 16);
+        /* 7.4.3.3.3 */
+        if (pps->pps_scc_extension_flag &&
+            pps->pps_scc_extension_params.pps_curr_pic_ref_enabled_flag &&
+            (sps->sample_adaptive_offset_enabled_flag ||
+                !pps->deblocking_filter_disabled_flag ||
+                pps->deblocking_filter_override_enabled_flag)) {
+          TwoVersionsOfCurrDecPicFlag = 1;
+        }
+
+        /* Calculated upper bound num_long_term_pics can have. 7.4.7.1 */
+        max_num_long_term_pics =
+            /* sps_max_dec_pic_buffering_minus1[TemporalId], allowed max is
+             * MaxDpbSize - 1 */
+            MAX_DPB_SIZE - 1
+            - (gint) slice->num_long_term_sps
+            - (gint) ref_pic_sets->NumNegativePics
+            - (gint) ref_pic_sets->NumPositivePics -
+            TwoVersionsOfCurrDecPicFlag;
+        if (max_num_long_term_pics < 0) {
+          GST_WARNING ("Invalid stream, too many reference pictures");
+          goto error;
+        }
+
+        READ_UE_MAX (&nr, slice->num_long_term_pics, max_num_long_term_pics);
        limit = slice->num_long_term_sps + slice->num_long_term_pics;
        for (i = 0; i < limit; i++) {
          if (i < slice->num_long_term_sps) {