From 9c13aaac7ae96a9eeb149440824379d06c204793 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Wed, 17 Jan 2024 16:29:18 +0100
Subject: [PATCH] CVE-2023-37328: heap overwrite in subtitle parsing

---
 .gstreamer1-plugins-base.metadata             |  1 +
 ...r-the-closing-of-a-tag-after-the-ope.patch | 36 +++++++++++++++++++
 ...ter-the-end-of-a-valid-closing-tag-i.patch | 33 +++++++++++++++++
 gstreamer1-plugins-base.spec                  | 10 +++++-
 4 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 .gstreamer1-plugins-base.metadata
 create mode 100644 0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
 create mode 100644 0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch

diff --git a/.gstreamer1-plugins-base.metadata b/.gstreamer1-plugins-base.metadata
new file mode 100644
index 0000000..b23a923
--- /dev/null
+++ b/.gstreamer1-plugins-base.metadata
@@ -0,0 +1 @@
+489d54fcc3c8ee63cd03614e2f0e1ebfd5815539 gst-plugins-base-1.22.1.tar.xz
diff --git a/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch b/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
new file mode 100644
index 0000000..b5e48e2
--- /dev/null
+++ b/0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
@@ -0,0 +1,36 @@
+From f7f24aed62178dc1deb581a512029dcb20727137 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:53:13 +0300
+Subject: [PATCH 1/2] subparse: Look for the closing `>` of a tag after the
+ opening `<`
+
+Previously when fixing up subrip markip, we were looking from the start
+of the remaining buffer instead. Due to how skipping over closing tags
+works, the remaining buffer will still contain the closing `>` of the
+previous tag so if a unexpected closing tag is found after another
+closing tag, we would potentially do an out of bounds memmove().
+
+Fixes ZDI-CAN-20968
+Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index 7aa922cdd8..d0960a971a 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -779,7 +779,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+     }
+ 
+     if (*next_tag == '<' && *(next_tag + 1) == '/') {
+-      end_tag = strchr (cur, '>');
++      end_tag = strchr (next_tag, '>');
+       if (end_tag) {
+         const gchar *last = NULL;
+         if (num_open_tags > 0)
+-- 
+2.43.0
+
diff --git a/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch b/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
new file mode 100644
index 0000000..42353ae
--- /dev/null
+++ b/0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
@@ -0,0 +1,33 @@
+From 997e8b0a485a22a9e44d503d7a1c6aa1970061e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Sebastian=20Dr=C3=B6ge?= <sebastian@centricular.com>
+Date: Tue, 13 Jun 2023 12:58:26 +0300
+Subject: [PATCH 2/2] subparse: Skip after the end of a valid closing tag
+ instead of only skipping `<`
+
+This is a small optimization and avoids restarting the next parsing
+iteration on already accepted data.
+
+On its own it would also fix ZDI-CAN-20968 (see previous commit) but the
+previous commit independently is also a valid fix for it.
+
+Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4895>
+---
+ subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+index d0960a971a..b33ddbb2a7 100644
+--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
++++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+@@ -794,6 +794,8 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
+         } else {
+           --num_open_tags;
+           g_ptr_array_remove_index (open_tags, num_open_tags);
++          cur = end_tag + 1;
++          continue;
+         }
+       }
+     }
+-- 
+2.43.0
+
diff --git a/gstreamer1-plugins-base.spec b/gstreamer1-plugins-base.spec
index e835e5c..c07c842 100644
--- a/gstreamer1-plugins-base.spec
+++ b/gstreamer1-plugins-base.spec
@@ -6,7 +6,7 @@
 
 Name:           gstreamer1-plugins-base
 Version:        1.22.1
-Release:        1%{?gitcommit:.git%{shortcommit}}%{?dist}
+Release:        2%{?gitcommit:.git%{shortcommit}}%{?dist}
 Summary:        GStreamer streaming media framework base plugins
 
 License:        LGPLv2+
@@ -21,6 +21,8 @@ Source0:        http://gstreamer.freedesktop.org/src/gst-plugins-base/gst-plugin
 Patch0:         0001-missing-plugins-Remove-the-mpegaudioversion-field.patch
 
 Patch1:	        xdg-compile.patch
+Patch2:		0001-subparse-Look-for-the-closing-of-a-tag-after-the-ope.patch
+Patch3:		0002-subparse-Skip-after-the-end-of-a-valid-closing-tag-i.patch
 
 BuildRequires:  meson >= 0.48.0
 BuildRequires:  gcc
@@ -119,6 +121,8 @@ for the GStreamer Base Plugins library.
 %setup -q -n gst-plugins-base-%{version}
 %patch0 -p1
 %patch1 -p1
+%patch2 -p3
+%patch3 -p3
 
 %build
 %meson \
@@ -483,6 +487,10 @@ chrpath --delete $RPM_BUILD_ROOT%{_bindir}/gst-play-1.0
 %endif
 
 %changelog
+* Wed Jan 17 2024 Wim Taymans <wtaymans@redhat.com> - 1.22.1-2
+- CVE-2023-37328: heap overwrite in subtitle parsing
+- Resolves: RHEL-19475
+
 * Wed Apr 12 2021 Wim Taymans <wtaymans@redhat.com> - 1.22.1-1
 - Update to 1.22.1
 - Resolves: rhbz#2144557