From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id aLYzF0BuhGBeAgAAgWs5BA
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 24 Apr 2021 21:15:12 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id OI7WEkBuhGAkDQAAbx9fmQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Sat, 24 Apr 2021 19:15:12 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id B440626E30
	for <larch@yhetil.org>; Sat, 24 Apr 2021 21:15:11 +0200 (CEST)
Received: from localhost ([::1]:51824 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1laNkE-0005Mc-TI
	for larch@yhetil.org; Sat, 24 Apr 2021 15:15:10 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56106)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1laNk6-0005MQ-41
 for guix-patches@gnu.org; Sat, 24 Apr 2021 15:15:02 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:58211)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1laNk5-0002IS-Pc
 for guix-patches@gnu.org; Sat, 24 Apr 2021 15:15:01 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1laNk5-0005IO-Ka
 for guix-patches@gnu.org; Sat, 24 Apr 2021 15:15:01 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#48000] [PATCH 3/5] gnu: gst-plugins-bad: Fix an overflow when
 processing video files.
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Sat, 24 Apr 2021 19:15:01 +0000
Resent-Message-ID: <handler.48000.B48000.161929169320312@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 48000
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: 
To: 48000@debbugs.gnu.org
Received: via spool by 48000-submit@debbugs.gnu.org id=B48000.161929169320312
 (code B ref 48000); Sat, 24 Apr 2021 19:15:01 +0000
Received: (at 48000) by debbugs.gnu.org; 24 Apr 2021 19:14:53 +0000
Received: from localhost ([127.0.0.1]:41518 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1laNjt-0005HI-Oy
 for submit@debbugs.gnu.org; Sat, 24 Apr 2021 15:14:53 -0400
Received: from out4-smtp.messagingengine.com ([66.111.4.28]:43927)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1laNjr-0005Go-Nd
 for 48000@debbugs.gnu.org; Sat, 24 Apr 2021 15:14:48 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id AB24A5C008E;
 Sat, 24 Apr 2021 15:14:42 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Sat, 24 Apr 2021 15:14:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=from:to:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding; s=mesmtp; bh=pGX5JUA9/6
 1e9za8yF/PNkKUWiu65ZMLf9jSA+cSbMY=; b=hizLT1aPND1LvsBRC3uQCUJRjr
 5UnQqWbR8E4wfdZ60tmvjnk9cLFEuRf9KmPe1mRR3XwSl+PiH9WPtKQecWDE1Onn
 2f8bD/TVi6HH+svDQ8ShuNiqp3psGpXbSj67Im2ZzFRZRMZX8qI2SMqF8x1jDwEO
 hvxQptmdUkAJhVIKk=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:date:from
 :in-reply-to:message-id:mime-version:references:subject:to
 :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
 fm2; bh=pGX5JUA9/61e9za8yF/PNkKUWiu65ZMLf9jSA+cSbMY=; b=All42p0I
 mAlKZLcJcmeAWnQTEKETchHReZQORMWWsNlMTni7SV9RpanRnFNRluRXPc5dVHY6
 B/HlHh/SgDiJB6Xz3hpqWngN3Md8eNLru8PjZ5WKUKuI6kUrDO4nO1RKtGVlev7d
 IWeiweoxfsb5ue3NTYgN+H1PrI6WX6ShnmKyCKRSFphZC2EOCkzL/PxH3ZaPz1wO
 rPFmr2yO0+uz7PJ7RkGeGbK93JWqeucGAoZfunVX+KJqdzO4I9vhSxEfEplf89WH
 +QQ1YbGElBr5DxCczLDz0LI117mk4kL3b8RorgB0wwIGK0ULuD9HHITuNSrV1aMq
 tAsENR41rR3mIw==
X-ME-Sender: <xms:Im6EYOevmaC2QsqR-H62MQ2MlxVIjo1SKuMMZ01y-qEksN1LlZr4ew>
 <xme:Im6EYIOLYzj2Z-znnH8spFlDulGUubyxPWlIMITxyXfvv5eo7NpdEgi1EkvEG7amX
 wikmC1HN1s-rbCwlg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvddugedgudefhecutefuodetggdotefrod
 ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
 necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkffojghfggfgsedtke
 ertdertddtnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl
 rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpefhffethfejffeiiedvheeutdethe
 ffuddvfeeuteejgfeludethfduheegkeevffenucffohhmrghinhepfhhrvggvuggvshhk
 thhophdrohhrghdpuggvsghirghnrdhorhhgnecukfhppedutddtrdduuddrudeiledrud
 dukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehl
 vghosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:Im6EYPhw3p_d5xAdPcRyy_Zs8yUFHTTjGlnLmSGkgDl2DGsRRE6Fcg>
 <xmx:Im6EYL9VuGSo9O17BTR5Xk9ISQnUfl434wGiiATptqajJiP2cjbOBg>
 <xmx:Im6EYKvg3WnnmUOpFuEv7X5rSxLHLolNtq1_Rea48xHzTgf3QO4u6Q>
 <xmx:Im6EYI6Qw5kCeCm4HMBVBogVCR09JKThLw8OYqOq6xqQh05LuTAnNA>
Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 758DF1080063
 for <48000@debbugs.gnu.org>; Sat, 24 Apr 2021 15:14:42 -0400 (EDT)
From: Leo Famulari <leo@famulari.name>
Date: Sat, 24 Apr 2021 15:14:33 -0400
Message-Id: <e4d2798393c64500047962eeb90f78fd25eb5774.1619291675.git.leo@famulari.name>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name>
References: <06babf269cf58ba83c67efd7fd905f9d5a6bb5b5.1619291675.git.leo@famulari.name>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1619291711;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=pGX5JUA9/61e9za8yF/PNkKUWiu65ZMLf9jSA+cSbMY=;
	b=O2pyitMj9fxJvhniPTYauHn36ajR2zqmCGdnt8Jhw86wK9rqPSPHLvjTNwsmkkULI3wwvM
	zCYhuIOvXJRDJUIQ9rWoI05RwbsXCSR61+qy0lgfxJkGfsIrteKESM0qJrOF+lh7Z1FlZn
	FfkbSKzSdIUrIpifxTtokZl+giUTks1EqQps8M6PUrIWklPNOfqZD43Ak3FezXlATG655h
	van0/PbjluWTbWaFLnsBcvNuJTyp9DGr3mpfskwR1KyINlxyBaZWQbn9rTDdoaRPHu6ORV
	YAHd5HhwwkNOXCOyrljKGPujTU9bCfd4ulYImhyHYvIvgj29pxcGKqGRMKlgOA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619291711; a=rsa-sha256; cv=none;
	b=RBitZQKDIYHtJgRBOoudKa9kLON5ap1PzKwM8kRNnUGgl6KHPRtU/ZRYp8NGmEEUc//fKA
	GD0phzPtX7twAtT14RcPEqdjZvuyq0borj8HFctxbmsMRcI+EKa1UUlZ+GbN3CtVKoWKxr
	t1Egka46yti1qvP3oX5rgsjgl3nGM2jEil8iIKlQaVGUt56ucF8j5gqg+SWJGDVTJO/UYI
	CJgLZribgOU1GkhX9x1IPxUSMpdfiIrsL89f0Cs3EuRjV+bc8qV/e7aSVAKEURMJV745mN
	QM6VKTjkLxbGsapr7y82L77F0/hwfAAfEcqKJHRoV0WNDiJLEF2weFbW3JQXLQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=hizLT1aP;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=All42p0I;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Spam-Score: 5.06
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=hizLT1aP;
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=All42p0I;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Queue-Id: B440626E30
X-Spam-Score: 5.06
X-Migadu-Scanner: scn0.migadu.com
X-TUID: JSIbyVkH6VaG

* gnu/packages/patches/gst-plugins-bad-fix-overflow.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gstreamer.scm (gst-plugins-bad)[source]: Use it.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/gstreamer.scm                    |   1 +
 .../gst-plugins-bad-fix-overflow.patch        | 263 ++++++++++++++++++
 3 files changed, 265 insertions(+)
 create mode 100644 gnu/packages/patches/gst-plugins-bad-fix-overflow.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index b3e84be598..94d7daf910 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1170,6 +1170,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/grub-verifiers-Blocklist-fallout-cleanup.patch \
   %D%/packages/patches/gspell-dash-test.patch			\
   %D%/packages/patches/gst-libav-64channels-stack-corruption.patch	\
+  %D%/packages/patches/gst-plugins-bad-fix-overflow.patch	\
   %D%/packages/patches/gst-plugins-good-fix-test.patch		\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3497.patch	\
   %D%/packages/patches/gst-plugins-good-CVE-2021-3498.patch	\
diff --git a/gnu/packages/gstreamer.scm b/gnu/packages/gstreamer.scm
index 81ac0a2f5f..58a02119c6 100644
--- a/gnu/packages/gstreamer.scm
+++ b/gnu/packages/gstreamer.scm
@@ -681,6 +681,7 @@ model to base your own plug-in on, here it is.")
               (method url-fetch)
               (uri (string-append "https://gstreamer.freedesktop.org/src/"
                                   name "/" name "-" version ".tar.xz"))
+              (patches (search-patches "gst-plugins-bad-fix-overflow.patch"))
               (sha256
                (base32
                 "06ildd4rl6cynirv3p00d2ddf5is9svj4i7mkahldzhq24pq5mca"))))
diff --git a/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
new file mode 100644
index 0000000000..95ab13db51
--- /dev/null
+++ b/gnu/packages/patches/gst-plugins-bad-fix-overflow.patch
@@ -0,0 +1,263 @@
+Fix an overflow when calculating something for AVC/HEVC videos:
+
+https://security-tracker.debian.org/tracker/TEMP-0000000-C6AAE1
+
+Patch copied from upstream source repository:
+
+https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/commit/0cfbf7ad91c7f121192c8ce135769f8eb276c41d
+From 0cfbf7ad91c7f121192c8ce135769f8eb276c41d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 23 Mar 2021 19:19:14 +0200
+Subject: [PATCH] h2645parser: Catch overflows in AVC/HEVC NAL unit length
+ calculations
+
+Offset and size are stored as 32 bit guint and might overflow when
+adding the nal_length_size, so let's avoid that.
+
+For the size this would happen if the AVC/HEVC NAL unit size happens to
+be stored in 4 bytes and is 4294967292 or higher, which is likely
+corrupted data anyway.
+
+For the offset this is something for the caller of these functions to
+take care of but is unlikely to happen as it would require parsing on a
+>4GB buffer.
+
+Allowing these overflows causes all kinds of follow-up bugs in the
+h2645parse elements, ranging from infinite loops and memory leaks to
+potential memory corruptions.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/2107>
+---
+ gst-libs/gst/codecparsers/gsth264parser.c | 16 +++++-
+ gst-libs/gst/codecparsers/gsth265parser.c | 16 +++++-
+ tests/check/libs/h264parser.c             | 60 +++++++++++++++++++++++
+ tests/check/libs/h265parser.c             | 60 +++++++++++++++++++++++
+ 4 files changed, 150 insertions(+), 2 deletions(-)
+
+diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
+index 012f1d0d7..68aa25068 100644
+--- a/gst-libs/gst/codecparsers/gsth264parser.c
++++ b/gst-libs/gst/codecparsers/gsth264parser.c
+@@ -1556,6 +1556,14 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+ 
+   memset (nalu, 0, sizeof (*nalu));
+ 
++  /* Would overflow guint below otherwise: the callers needs to ensure that
++   * this never happens */
++  if (offset > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("offset + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H264_PARSER_BROKEN_DATA;
++  }
++
+   if (size < offset + nal_length_size) {
+     GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+         ", offset %u", size, offset);
+@@ -1570,7 +1578,13 @@ gst_h264_parser_identify_nalu_avc (GstH264NalParser * nalparser,
+   nalu->sc_offset = offset;
+   nalu->offset = offset + nal_length_size;
+ 
+-  if (size < nalu->size + nal_length_size) {
++  if (nalu->size > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("NALU size + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H264_PARSER_BROKEN_DATA;
++  }
++
++  if (size < (gsize) nalu->size + nal_length_size) {
+     nalu->size = 0;
+ 
+     return GST_H264_PARSER_NO_NAL_END;
+diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c
+index 26e68b276..dc7f27aa9 100644
+--- a/gst-libs/gst/codecparsers/gsth265parser.c
++++ b/gst-libs/gst/codecparsers/gsth265parser.c
+@@ -1531,6 +1531,14 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+ 
+   memset (nalu, 0, sizeof (*nalu));
+ 
++  /* Would overflow guint below otherwise: the callers needs to ensure that
++   * this never happens */
++  if (offset > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("offset + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H265_PARSER_BROKEN_DATA;
++  }
++
+   if (size < offset + nal_length_size) {
+     GST_DEBUG ("Can't parse, buffer has too small size %" G_GSIZE_FORMAT
+         ", offset %u", size, offset);
+@@ -1545,7 +1553,13 @@ gst_h265_parser_identify_nalu_hevc (GstH265Parser * parser,
+   nalu->sc_offset = offset;
+   nalu->offset = offset + nal_length_size;
+ 
+-  if (size < nalu->size + nal_length_size) {
++  if (nalu->size > G_MAXUINT32 - nal_length_size) {
++    GST_WARNING ("NALU size + nal_length_size overflow");
++    nalu->size = 0;
++    return GST_H265_PARSER_BROKEN_DATA;
++  }
++
++  if (size < (gsize) nalu->size + nal_length_size) {
+     nalu->size = 0;
+ 
+     return GST_H265_PARSER_NO_NAL_END;
+diff --git a/tests/check/libs/h264parser.c b/tests/check/libs/h264parser.c
+index c7c46d9a2..d322dd8db 100644
+--- a/tests/check/libs/h264parser.c
++++ b/tests/check/libs/h264parser.c
+@@ -229,6 +229,65 @@ GST_START_TEST (test_h264_parse_slice_5bytes)
+ 
+ GST_END_TEST;
+ 
++GST_START_TEST (test_h264_parse_identify_nalu_avc)
++{
++  GstH264ParserResult res;
++  GstH264NalUnit nalu;
++  GstH264NalParser *const parser = gst_h264_nal_parser_new ();
++  /* Skip 3 bytes for the start code */
++  const gsize nal_size = sizeof (slice_dpa) - 3;
++  const gsize buf_size = 4 + nal_size;
++  guint8 *buf = g_new (guint8, buf_size);
++
++  memcpy (buf + 4, slice_dpa + 3, nal_size);
++
++  GST_WRITE_UINT16_BE (buf + 2, nal_size);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 2, buf_size, 2, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, nal_size);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H264_NAL_SLICE_DPA);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++  res = gst_h264_parser_identify_nalu_avc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H264_PARSER_NO_NAL_END);
++
++  g_free (buf);
++  gst_h264_nal_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ static guint8 nalu_sps_with_vui[] = {
+   0x00, 0x00, 0x00, 0x01, 0x67, 0x64, 0x00, 0x28,
+   0xac, 0xd9, 0x40, 0x78, 0x04, 0x4f, 0xde, 0x03,
+@@ -666,6 +725,7 @@ h264parser_suite (void)
+   tcase_add_test (tc_chain, test_h264_parse_slice_dpa);
+   tcase_add_test (tc_chain, test_h264_parse_slice_eoseq_slice);
+   tcase_add_test (tc_chain, test_h264_parse_slice_5bytes);
++  tcase_add_test (tc_chain, test_h264_parse_identify_nalu_avc);
+   tcase_add_test (tc_chain, test_h264_parse_invalid_sei);
+   tcase_add_test (tc_chain, test_h264_create_sei);
+ 
+diff --git a/tests/check/libs/h265parser.c b/tests/check/libs/h265parser.c
+index 0a0e4db97..5b6a215ec 100644
+--- a/tests/check/libs/h265parser.c
++++ b/tests/check/libs/h265parser.c
+@@ -255,6 +255,65 @@ GST_START_TEST (test_h265_parse_slice_6bytes)
+ 
+ GST_END_TEST;
+ 
++GST_START_TEST (test_h265_parse_identify_nalu_hevc)
++{
++  GstH265ParserResult res;
++  GstH265NalUnit nalu;
++  GstH265Parser *parser = gst_h265_parser_new ();
++  /* Skip 4 bytes for the start code */
++  const gsize nal_size = sizeof (slice_eos_slice_eob) - 4;
++  const gsize buf_size = 4 + nal_size;
++  guint8 *buf = g_new (guint8, buf_size);
++
++  memcpy (buf + 4, slice_eos_slice_eob + 4, nal_size);
++
++  GST_WRITE_UINT16_BE (buf + 2, nal_size);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 2, buf_size, 2, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, nal_size);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_OK);
++  assert_equals_int (nalu.type, GST_H265_NAL_SLICE_IDR_W_RADL);
++  assert_equals_int (nalu.offset, 4);
++  assert_equals_int (nalu.size, nal_size);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 2);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 3);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_BROKEN_DATA);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 4);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++  GST_WRITE_UINT32_BE (buf, G_MAXUINT32 - 6);
++  res = gst_h265_parser_identify_nalu_hevc (parser, buf, 0, buf_size, 4, &nalu);
++
++  assert_equals_int (res, GST_H265_PARSER_NO_NAL_END);
++
++  g_free (buf);
++  gst_h265_parser_free (parser);
++}
++
++GST_END_TEST;
++
+ GST_START_TEST (test_h265_base_profiles)
+ {
+   GstH265ProfileTierLevel ptl;
+@@ -1101,6 +1160,7 @@ h265parser_suite (void)
+   tcase_add_test (tc_chain, test_h265_parse_slice_eos_slice_eob);
+   tcase_add_test (tc_chain, test_h265_parse_pic_timing);
+   tcase_add_test (tc_chain, test_h265_parse_slice_6bytes);
++  tcase_add_test (tc_chain, test_h265_parse_identify_nalu_hevc);
+   tcase_add_test (tc_chain, test_h265_base_profiles);
+   tcase_add_test (tc_chain, test_h265_base_profiles_compat);
+   tcase_add_test (tc_chain, test_h265_format_range_profiles_exact_match);
+-- 
+2.31.1
+
-- 
2.31.1