h266parser: Fix overflow when parsing subpic_level_info

1. non_subpic_layers_fraction, ref_level_idc and ref_level_fraction_minus1 fields should not have the GST_H266_MAX_SUBLAYERS limitation. 2. Should check max_sublayers_minus1, no more than GST_H266_MAX_SUBLAYERS-1 Fixes ZDI-CAN-27381, CVE-2025-6663 Closes: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/4503 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9294>
2025-06-24 21:40:26 +08:00 · 2025-06-24 21:40:26 +08:00 · eedd01ac3d
commit eedd01ac3d
parent af63e991ec
3 changed files with 10 additions and 4 deletions
--- a/.gitlab-image-tags.yml
+++ b/.gitlab-image-tags.yml
@ -11,6 +11,6 @@ variables:

  CHECKS_TAG: '2025-02-04.0'

-  ABI_CHECK_TAG: '2025-06-24.0'
+  ABI_CHECK_TAG: '2025-06-26.0'

  WINDOWS_TAG: '2025-05-30.0'
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.c
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.c
@ -1620,6 +1620,10 @@ gst_h266_parser_parse_subpic_level_info (GstH266SubPicLevelInfo * sli,
    READ_UE_MAX (nr, sli->num_subpics_minus1, GST_H266_MAX_SLICES_PER_AU - 1);

  READ_UINT8 (nr, sli->max_sublayers_minus1, 3);
+  /* The value of sli_max_sublayers_minus1 shall be equal to
+     vps_max_sublayers_minus1. */
+  CHECK_ALLOWED_MAX (sli->max_sublayers_minus1, GST_H266_MAX_SUBLAYERS - 1);
+
  READ_UINT8 (nr, sli->sublayer_info_present_flag, 1);

  while (!nal_reader_is_byte_aligned (nr))
--- a/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.h
+++ b/subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.h
@ -43,6 +43,8 @@ G_BEGIN_DECLS
 /* 7.4.3.3 The value of vps_max_sublayers_minus1
 * shall be in the range of 0 to 6, inclusive */
 #define GST_H266_MAX_SUBLAYERS 7
+/* 3-bit minus1 value, so max is 7+1 */
+#define GST_H266_MAX_SLI_REF_LEVELS 8
 /* 7.4.3.3 vps_num_output_layer_sets_minus2 is u(8) */
 #define GST_H266_MAX_TOTAL_NUM_OLSS 257
 /* 7.4.3.3 vps_num_ptls_minus1 shall be less than TotalNumOlss,
@ -3171,9 +3173,9 @@ struct _GstH266SubPicLevelInfo {
  guint16 num_subpics_minus1;
  guint8 max_sublayers_minus1;
  guint8 sublayer_info_present_flag;
-  guint8 non_subpic_layers_fraction[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SUBLAYERS];
-  guint8 ref_level_idc[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SUBLAYERS];
-  guint8 ref_level_fraction_minus1[GST_H266_MAX_SUBLAYERS][GST_H266_MAX_SLICES_PER_AU][GST_H266_MAX_SUBLAYERS];
+  guint8 non_subpic_layers_fraction[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SUBLAYERS];
+  guint8 ref_level_idc[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SUBLAYERS];
+  guint8 ref_level_fraction_minus1[GST_H266_MAX_SLI_REF_LEVELS][GST_H266_MAX_SLICES_PER_AU][GST_H266_MAX_SUBLAYERS];
 };

 /**