Unclear what the goal was, but we could end up reading way past the next_tag.
Instead just move everything from after the end tag ('>') to the next_tag.
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53040
Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3340>
last = g_ptr_array_index (open_tags, num_open_tags - 1);
if (num_open_tags == 0
|| g_ascii_strncasecmp (end_tag - 1, last, strlen (last))) {
last = g_ptr_array_index (open_tags, num_open_tags - 1);
if (num_open_tags == 0
|| g_ascii_strncasecmp (end_tag - 1, last, strlen (last))) {
- GST_LOG ("broken input, closing tag '%s' is not open", end_tag - 1);
- memmove (next_tag, end_tag + 1, strlen (end_tag) + 1);
- next_tag -= strlen (end_tag);
+ GST_LOG ("broken input, closing tag '%s' is not open", next_tag);
+ /* Move everything after the tag end, including closing \0 */
+ memmove (next_tag, end_tag + 1, strlen (end_tag));
+ cur = next_tag;
+ continue;
} else {
--num_open_tags;
g_ptr_array_remove_index (open_tags, num_open_tags);
} else {
--num_open_tags;
g_ptr_array_remove_index (open_tags, num_open_tags);