subparse: Fix non-closed tag handling.

Unclear what the goal was, but we could end up reading way past the next_tag.

Instead just move everything from after the end tag ('>') to the next_tag.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53040

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3340>
This commit is contained in:
Edward Hervey 2022-11-05 07:34:27 +01:00 committed by GStreamer Marge Bot
parent e283c99358
commit 24a0e5bdfd

View file

@ -785,9 +785,11 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
last = g_ptr_array_index (open_tags, num_open_tags - 1); last = g_ptr_array_index (open_tags, num_open_tags - 1);
if (num_open_tags == 0 if (num_open_tags == 0
|| g_ascii_strncasecmp (end_tag - 1, last, strlen (last))) { || g_ascii_strncasecmp (end_tag - 1, last, strlen (last))) {
GST_LOG ("broken input, closing tag '%s' is not open", end_tag - 1); GST_LOG ("broken input, closing tag '%s' is not open", next_tag);
memmove (next_tag, end_tag + 1, strlen (end_tag) + 1); /* Move everything after the tag end, including closing \0 */
next_tag -= strlen (end_tag); memmove (next_tag, end_tag + 1, strlen (end_tag));
cur = next_tag;
continue;
} else { } else {
--num_open_tags; --num_open_tags;
g_ptr_array_remove_index (open_tags, num_open_tags); g_ptr_array_remove_index (open_tags, num_open_tags);