From a46737a73155fe1c19fa5115df40da35426f9fb5 Mon Sep 17 00:00:00 2001
From: Seungha Yang <seungha@centricular.com>
Date: Thu, 23 Nov 2023 20:24:42 +0900
Subject: [PATCH] av1parser: Fix array sizes in scalability structure

Since the AV1 specification is not explicitly mentioning about
the array size bounds, array sizes in scalability structure
should be defined as possible maximum sizes that can have.

Also, this commit removes GST_AV1_MAX_SPATIAL_LAYERS define from
public header which is API break but the define is misleading
and this patch is introducing ABI break already

ZDI-CAN-22300

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5824>

Upstream-Status: Backport [https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/a46737a73155fe1c19fa5115df40da35426f9fb5]
CVE: CVE-2023-50186
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 gst-libs/gst/codecparsers/gstav1parser.h | 11 +++++------
 gst/videoparsers/gstav1parse.c           |  2 +-
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/gst-libs/gst/codecparsers/gstav1parser.h b/gst-libs/gst/codecparsers/gstav1parser.h
index 31f5945..ef6ce9e 100644
--- a/gst-libs/gst/codecparsers/gstav1parser.h
+++ b/gst-libs/gst/codecparsers/gstav1parser.h
@@ -71,9 +71,8 @@ G_BEGIN_DECLS
 #define GST_AV1_MAX_TILE_COUNT                 512
 #define GST_AV1_MAX_OPERATING_POINTS    \
   (GST_AV1_MAX_NUM_TEMPORAL_LAYERS * GST_AV1_MAX_NUM_SPATIAL_LAYERS)
-#define GST_AV1_MAX_SPATIAL_LAYERS             2  /* correct? */
-#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE        8  /* correct? */
-#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  8  /* correct? */
+#define GST_AV1_MAX_TEMPORAL_GROUP_SIZE        255
+#define GST_AV1_MAX_TEMPORAL_GROUP_REFERENCES  7
 #define GST_AV1_MAX_NUM_Y_POINTS               16
 #define GST_AV1_MAX_NUM_CB_POINTS              16
 #define GST_AV1_MAX_NUM_CR_POINTS              16
@@ -968,9 +967,9 @@ struct _GstAV1MetadataScalability {
   gboolean spatial_layer_dimensions_present_flag;
   gboolean spatial_layer_description_present_flag;
   gboolean temporal_group_description_present_flag;
-  guint16 spatial_layer_max_width[GST_AV1_MAX_SPATIAL_LAYERS];
-  guint16 spatial_layer_max_height[GST_AV1_MAX_SPATIAL_LAYERS];
-  guint8 spatial_layer_ref_id[GST_AV1_MAX_SPATIAL_LAYERS];
+  guint16 spatial_layer_max_width[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+  guint16 spatial_layer_max_height[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
+  guint8 spatial_layer_ref_id[GST_AV1_MAX_NUM_SPATIAL_LAYERS];
   guint8 temporal_group_size;
 
   guint8 temporal_group_temporal_id[GST_AV1_MAX_TEMPORAL_GROUP_SIZE];
diff --git a/gst/videoparsers/gstav1parse.c b/gst/videoparsers/gstav1parse.c
index f127856..ef1bc74 100644
--- a/gst/videoparsers/gstav1parse.c
+++ b/gst/videoparsers/gstav1parse.c
@@ -1229,7 +1229,7 @@ gst_av1_parse_handle_sequence_obu (GstAV1Parse * self, GstAV1OBU * obu)
   }
 
   val = (self->parser->state.operating_point_idc >> 8) & 0x0f;
-  for (i = 0; i < (1 << GST_AV1_MAX_SPATIAL_LAYERS); i++) {
+  for (i = 0; i < GST_AV1_MAX_NUM_SPATIAL_LAYERS; i++) {
     if (val & (1 << i))
       self->highest_spatial_id = i;
   }
-- 
2.25.1