ssaparse: Search for closing brace after opening brace

Otherwise removing anything between the braces leads to out of bound writes if
there is a closing brace before the first opening brace.

Thanks to Antonio Morales for finding and reporting the issue.

Fixes GHSL-2024-228
Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3870

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8048>

diff --git a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
index 42fbb42b99fee95589c7befb254e87e49ac08955..37b892e9284393da490d75d7be35fed464ab4f76 100644 (file)
--- a/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstssaparse.c
@@ -238,7 +238,7 @@ gst_ssa_parse_remove_override_codes (GstSsaParse * parse, gchar * txt)
   gboolean removed_any = FALSE;
 
   while ((t = strchr (txt, '{'))) {
-    end = strchr (txt, '}');
+    end = strchr (t, '}');
     if (end == NULL) {
       GST_WARNING_OBJECT (parse, "Missing { for style override code");
       return removed_any;