packages/gstreamer1-plugins-base
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gstreamer1-plugins-base/CVE-2023-37328.patch
Funda Wang 10ff79b554 fix CVE-2024-47538, CVE-2024-47541, CVE-2024-47542, CVE-2024-47600, CVE-2024-47607, CVE-2024-47615, CVE-2024-47835 
(cherry picked from commit 62301987591fbdb1baa50d83a7108c7aae67b434)
2024-12-11 16:31:20 +08:00

71 lines
2.7 KiB
Diff
Raw Blame History

From 97c6d7495e6edb009789cf43ea79e26c54f88538 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:53:13 +0300
Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
opening `<`
Previously when fixing up subrip markip, we were looking from the start
of the remaining buffer instead. Due to how skipping over closing tags
works, the remaining buffer will still contain the closing `>` of the
previous tag so if a unexpected closing tag is found after another
closing tag, we would potentially do an out of bounds memmove().
Fixes ZDI-CAN-20968
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 0f7425d86334..6a82fb584649 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -776,7 +776,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
}
if (*next_tag == '<' && *(next_tag + 1) == '/') {
- end_tag = strchr (cur, '>');
+ end_tag = strchr (next_tag, '>');
if (end_tag) {
const gchar *last = NULL;
if (num_open_tags > 0)
--
GitLab
From 069065adc4cdc4499766928dde4982b794462006 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
Date: Tue, 13 Jun 2023 12:58:26 +0300
Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
instead of only skipping `<`
This is a small optimization and avoids restarting the next parsing
iteration on already accepted data.
On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
previous commit independently is also a valid fix for it.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
---
subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 6a82fb584649..2b69595e5cb2 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -791,6 +791,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
} else {
--num_open_tags;
g_ptr_array_remove_index (open_tags, num_open_tags);
+ cur = end_tag + 1;
+ continue;
}
}
}
--
GitLab
Reference in New Issue View Git Blame Copy Permalink