From 84a3b0ef87e1b4eebe3ebef2c0de620a40afe4c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= <tim@centricular.com>
Date: Thu, 30 Jun 2022 00:13:19 +0100
Subject: [PATCH] samiparse: fix handling of self-closing tags

We would check the wrong string (rest of line rather than element)
for the / suffix of self-closing tags, which is not only wrong but
also has atrocious performance with certain strings like the garbled
nonsense clusterfuzz feeds us, which might cause discoverer to time
out when processing garbled SAMI files.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47461

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2685>
---
 .../gst-plugins-base/gst/subparse/samiparse.c |  2 +-
 .../tests/check/elements/subparse.c           | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/subprojects/gst-plugins-base/gst/subparse/samiparse.c b/subprojects/gst-plugins-base/gst/subparse/samiparse.c
index 93ea80365b..d9df46442f 100644
--- a/subprojects/gst-plugins-base/gst/subparse/samiparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/samiparse.c
@@ -543,7 +543,7 @@ html_context_parse (HtmlContext * ctxt, gchar * text, gsize text_len)
 
       next = string_token (next, ">", &element);
       next++;
-      if (g_str_has_suffix (next, "/")) {
+      if (g_str_has_suffix (element, "/")) {
         /* handle <blah/> */
         element[strlen (element) - 1] = '\0';
         html_context_handle_element (ctxt, element + 1, TRUE);
diff --git a/subprojects/gst-plugins-base/tests/check/elements/subparse.c b/subprojects/gst-plugins-base/tests/check/elements/subparse.c
index 7a7b7a5d9f..0c897acd62 100644
--- a/subprojects/gst-plugins-base/tests/check/elements/subparse.c
+++ b/subprojects/gst-plugins-base/tests/check/elements/subparse.c
@@ -1026,6 +1026,29 @@ GST_START_TEST (test_sami_comment)
 
 GST_END_TEST;
 
+GST_START_TEST (test_sami_self_contained_tags)
+{
+  SubParseInputChunk sami_input[] = {
+    {"<SAMI>\n"
+          "<BODY>\n"
+          "    <SYNC Start=1000>\n"
+          "        <P Class=CC>\n"
+          "            This line has a self-closing format tag<i /> and more.\n",
+          1000 * GST_MSECOND, 2000 * GST_MSECOND,
+        "This line has a self-closing format tag<i></i>and more."},
+    {"    <SYNC Start=2000>\n"
+          "        <P Class=CC>\n"
+          "            This is a third comment.<br>\n"
+          "            This is a fourth comment.\n" "</BODY>\n" "</SAMI>\n",
+          2000 * GST_MSECOND, GST_CLOCK_TIME_NONE,
+        "This is a third comment.\nThis is a fourth comment."}
+  };
+
+  do_test (sami_input, G_N_ELEMENTS (sami_input), "pango-markup");
+}
+
+GST_END_TEST;
+
 GST_START_TEST (test_lrc)
 {
   SubParseInputChunk lrc_input[] = {
@@ -1106,6 +1129,7 @@ subparse_suite (void)
   tcase_add_test (tc_chain, test_sami_html_entities);
   tcase_add_test (tc_chain, test_sami_bad_entities);
   tcase_add_test (tc_chain, test_sami_comment);
+  tcase_add_test (tc_chain, test_sami_self_contained_tags);
   tcase_add_test (tc_chain, test_lrc);
   tcase_add_test (tc_chain, test_raw_conversion);
   return s;