Bug 796043 – subparse: out-of-bounds array access when fixing SubRip markup

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 796043 - subparse: out-of-bounds array access when fixing SubRip markup


Summary:	subparse: out-of-bounds array access when fixing SubRip markup


Status:	RESOLVED FIXED

Product:	GStreamer
Classification:	Platform
Component:	gst-plugins-base
Version:	git master
Hardware:	Other All

Importance:	Normal normal
Target Milestone:	1.14.1
Assigned To:	GStreamer Maintainers
QA Contact:	GStreamer Maintainers

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2018-05-12 12:02 UTC by Philippe Normand
Modified:	2018-05-12 16:07 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
patch (4.25 KB, patch) 2018-05-12 12:55 UTC, Philippe Normand	none	Details \| Review
updated patch (4.37 KB, patch) 2018-05-12 15:26 UTC, Philippe Normand	none	Details \| Review
updated patch (4.29 KB, patch) 2018-05-12 15:58 UTC, Philippe Normand	committed	Details \| Review

Description Philippe Normand 2018-05-12 12:02:08 UTC

Parsing a chunk containing more than 32 unclosed tags will trigger a crash.

Comment 1 Philippe Normand 2018-05-12 12:55:48 UTC

Created attachment 371957 [details] [review]
patch

Comment 2 Thibault Saunier 2018-05-12 14:16:40 UTC

Review of attachment 371957 [details] [review]:

::: gst/subparse/gstsubparse.c
@@ +759,3 @@
 {
   gchar *cur, *next_tag;
+  GSList *open_tags = NULL;

GSlist sounds a bit suboptimal here, you kind of know that there shouldn't be so many elements (the 32 limit seems to have passed unnoticed for a long time :-)), so avoiding allocating all the time might be better. In practice it might not matter much at all :-) (If it does a GPtrArray could be better).

@@ +819,3 @@
         if (num_open_tags == 0
+            || !g_slist_find_custom (open_tags, tag_name,
+                (GCompareFunc) g_strcmp0)) {

Looks like you are not ignoring the case anymore?

@@ -823,3 +824,3 @@
           next_tag -= strlen (end_tag);
         } else {
-          --num_open_tags;
+          GSList *first = g_slist_nth (open_tags, 0);

Well, that is open_tags itself :-)

Comment 3 Philippe Normand 2018-05-12 15:26:16 UTC

Created attachment 371963 [details] [review]
updated patch

Comment 4 Thibault Saunier 2018-05-12 15:34:48 UTC

Review of attachment 371963 [details] [review]:

::: gst/subparse/gstsubparse.c
@@ -818,3 +821,3 @@
         if (num_open_tags == 0
-            || g_ascii_strncasecmp (end_tag - 1, open_tags[num_open_tags - 1],
-                strlen (open_tags[num_open_tags - 1]))) {
+            || !g_ptr_array_find_with_equal_func (open_tags, tag_name,
+                g_str_equal, &index)) {

I always have doubt about the use of g_str_equal outside GHashTable, otherwise looks good I think.

Comment 5 Philippe Normand 2018-05-12 15:58:21 UTC

Created attachment 371964 [details] [review]
updated patch

Comment 6 Thibault Saunier 2018-05-12 16:01:26 UTC

Review of attachment 371964 [details] [review]:

Better, Go :-)

Comment 7 Thibault Saunier 2018-05-12 16:01:27 UTC

Review of attachment 371964 [details] [review]:

Better, Go :-)