samiparse: fix handling of self-closing tags

We would check the wrong string (rest of line rather than element)
for the / suffix of self-closing tags, which is not only wrong but
also has atrocious performance with certain strings like the garbled
nonsense clusterfuzz feeds us, which might cause discoverer to time
out when processing garbled SAMI files.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47461

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/2685>

diff --git a/subprojects/gst-plugins-base/gst/subparse/samiparse.c b/subprojects/gst-plugins-base/gst/subparse/samiparse.c
index 93ea803..d9df464 100644 (file)
--- a/subprojects/gst-plugins-base/gst/subparse/samiparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/samiparse.c
@@ -543,7 +543,7 @@ html_context_parse (HtmlContext * ctxt, gchar * text, gsize text_len)
 
       next = string_token (next, ">", &element);
       next++;
-      if (g_str_has_suffix (next, "/")) {
+      if (g_str_has_suffix (element, "/")) {
         /* handle <blah/> */
         element[strlen (element) - 1] = '\0';
         html_context_handle_element (ctxt, element + 1, TRUE);

diff --git a/subprojects/gst-plugins-base/tests/check/elements/subparse.c b/subprojects/gst-plugins-base/tests/check/elements/subparse.c
index 7a7b7a5..0c897ac 100644 (file)
--- a/subprojects/gst-plugins-base/tests/check/elements/subparse.c
+++ b/subprojects/gst-plugins-base/tests/check/elements/subparse.c
@@ -1026,6 +1026,29 @@ GST_START_TEST (test_sami_comment)
 
 GST_END_TEST;
 
+GST_START_TEST (test_sami_self_contained_tags)
+{
+  SubParseInputChunk sami_input[] = {
+    {"<SAMI>\n"
+          "<BODY>\n"
+          "    <SYNC Start=1000>\n"
+          "        <P Class=CC>\n"
+          "            This line has a self-closing format tag<i /> and more.\n",
+          1000 * GST_MSECOND, 2000 * GST_MSECOND,
+        "This line has a self-closing format tag<i></i>and more."},
+    {"    <SYNC Start=2000>\n"
+          "        <P Class=CC>\n"
+          "            This is a third comment.<br>\n"
+          "            This is a fourth comment.\n" "</BODY>\n" "</SAMI>\n",
+          2000 * GST_MSECOND, GST_CLOCK_TIME_NONE,
+        "This is a third comment.\nThis is a fourth comment."}
+  };
+
+  do_test (sami_input, G_N_ELEMENTS (sami_input), "pango-markup");
+}
+
+GST_END_TEST;
+
 GST_START_TEST (test_lrc)
 {
   SubParseInputChunk lrc_input[] = {
@@ -1106,6 +1129,7 @@ subparse_suite (void)
   tcase_add_test (tc_chain, test_sami_html_entities);
   tcase_add_test (tc_chain, test_sami_bad_entities);
   tcase_add_test (tc_chain, test_sami_comment);
+  tcase_add_test (tc_chain, test_sami_self_contained_tags);
   tcase_add_test (tc_chain, test_lrc);
   tcase_add_test (tc_chain, test_raw_conversion);
   return s;