A global buffer overflow (out-of-bounds read) was found in GStreamer's gst-plugins-bad H.266/VVC parser in the gst_h266_parse_vui_parameters() function at subprojects/gst-plugins-bad/gst-libs/gst/codecparsers/gsth266parser.c:561. The aspect_ratio_idc field is read as an 8-bit value (0-255) from the H.266 bitstream and used directly as an array index into the aspect_ratios[] array, which contains only 17 entries (indices 0-16). When aspect_ratio_idc is 17-254, the code performs an 8-byte out-of-bounds read from the .data section (reading two guint fields: par_n and par_d). The H.265 parser (gsth265parser.c) contains the correct bounds check (else if (vui->aspect_ratio_idc <= 16)) which is missing in the H.266 implementation, indicating this was an oversight during porting. The leaked values are stored in GstH266VUIParams and propagated to GStreamer caps as pixel-aspect-ratio metadata, affecting video scaling in downstream components. Upstream maintainer Sebastian Dröge confirmed the vulnerability is valid and that the proposed patch is correct. The bug affects all versions containing the H.266 parser. Reported by Dr. Faruk Kazi and Ramesh Adhikari from CoE-CNDS Lab, VJTI, Mumbai, India. Upstream tracking: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/work_items/5109

PSIRT Ticket: PSIRTSUPT-17586