From 84a3b0ef87e1b4eebe3ebef2c0de620a40afe4c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim-Philipp=20M=C3=BCller?= Date: Thu, 30 Jun 2022 00:13:19 +0100 Subject: [PATCH] samiparse: fix handling of self-closing tags We would check the wrong string (rest of line rather than element) for the / suffix of self-closing tags, which is not only wrong but also has atrocious performance with certain strings like the garbled nonsense clusterfuzz feeds us, which might cause discoverer to time out when processing garbled SAMI files. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47461 Part-of: --- .../gst-plugins-base/gst/subparse/samiparse.c | 2 +- .../tests/check/elements/subparse.c | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/subprojects/gst-plugins-base/gst/subparse/samiparse.c b/subprojects/gst-plugins-base/gst/subparse/samiparse.c index 93ea80365b..d9df46442f 100644 --- a/subprojects/gst-plugins-base/gst/subparse/samiparse.c +++ b/subprojects/gst-plugins-base/gst/subparse/samiparse.c @@ -543,7 +543,7 @@ html_context_parse (HtmlContext * ctxt, gchar * text, gsize text_len) next = string_token (next, ">", &element); next++; - if (g_str_has_suffix (next, "/")) { + if (g_str_has_suffix (element, "/")) { /* handle */ element[strlen (element) - 1] = '\0'; html_context_handle_element (ctxt, element + 1, TRUE); diff --git a/subprojects/gst-plugins-base/tests/check/elements/subparse.c b/subprojects/gst-plugins-base/tests/check/elements/subparse.c index 7a7b7a5d9f..0c897acd62 100644 --- a/subprojects/gst-plugins-base/tests/check/elements/subparse.c +++ b/subprojects/gst-plugins-base/tests/check/elements/subparse.c @@ -1026,6 +1026,29 @@ GST_START_TEST (test_sami_comment) GST_END_TEST; +GST_START_TEST (test_sami_self_contained_tags) +{ + SubParseInputChunk sami_input[] = { + {"\n" + "\n" + " \n" + "

\n" + " This line has a self-closing format tag and more.\n", + 1000 * GST_MSECOND, 2000 * GST_MSECOND, + "This line has a self-closing format tagand more."}, + {" \n" + "

\n" + " This is a third comment.
\n" + " This is a fourth comment.\n" "\n" "\n", + 2000 * GST_MSECOND, GST_CLOCK_TIME_NONE, + "This is a third comment.\nThis is a fourth comment."} + }; + + do_test (sami_input, G_N_ELEMENTS (sami_input), "pango-markup"); +} + +GST_END_TEST; + GST_START_TEST (test_lrc) { SubParseInputChunk lrc_input[] = { @@ -1106,6 +1129,7 @@ subparse_suite (void) tcase_add_test (tc_chain, test_sami_html_entities); tcase_add_test (tc_chain, test_sami_bad_entities); tcase_add_test (tc_chain, test_sami_comment); + tcase_add_test (tc_chain, test_sami_self_contained_tags); tcase_add_test (tc_chain, test_lrc); tcase_add_test (tc_chain, test_raw_conversion); return s;