Kapnull

**Name of the Vulnerable Software and Affected Versions** libde265 versions prior to 1.0.17 **Description** libde265 is an open source implementation of the h.265 video codec. A crafted HEVC bitstream can cause an out-of-bounds heap write. This occurs due to a stale `ctb info.log2unitSize` after an SPS change where `PicWidthInCtbsY` and `PicHeightInCtbsY` remain constant, but `Log2CtbSizeY` changes. This leads to `set SliceHeaderIndex` indexing past the allocated image metadata array, resulting in a write beyond the bounds of a heap allocation. **Recommendations** Update to libde265 version 1.0.17 or later.