From 24a0e5bdfdb42217ee93ff858abcc35bad821bf7 Mon Sep 17 00:00:00 2001
From: Edward Hervey <edward@centricular.com>
Date: Sat, 5 Nov 2022 07:34:27 +0100
Subject: [PATCH] subparse: Fix non-closed tag handling.

Unclear what the goal was, but we could end up reading way past the next_tag.

Instead just move everything from after the end tag ('>') to the next_tag.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53040

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3340>
---
 subprojects/gst-plugins-base/gst/subparse/gstsubparse.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index d123624..8ce616d 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -785,9 +785,11 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
           last = g_ptr_array_index (open_tags, num_open_tags - 1);
         if (num_open_tags == 0
             || g_ascii_strncasecmp (end_tag - 1, last, strlen (last))) {
-          GST_LOG ("broken input, closing tag '%s' is not open", end_tag - 1);
-          memmove (next_tag, end_tag + 1, strlen (end_tag) + 1);
-          next_tag -= strlen (end_tag);
+          GST_LOG ("broken input, closing tag '%s' is not open", next_tag);
+          /* Move everything after the tag end, including closing \0 */
+          memmove (next_tag, end_tag + 1, strlen (end_tag));
+          cur = next_tag;
+          continue;
         } else {
           --num_open_tags;
           g_ptr_array_remove_index (open_tags, num_open_tags);
-- 
2.7.4