subparse: Look for the closing `>` of a tag after the opening `<`

Previously when fixing up subrip markip, we were looking from the start of the remaining buffer instead. Due to how skipping over closing tags works, the remaining buffer will still contain the closing `>` of the previous tag so if a unexpected closing tag is found after another closing tag, we would potentially do an out of bounds memmove(). Fixes ZDI-CAN-20968 Fixes https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2662 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/4900>
author: Sebastian Dröge <sebastian@centricular.com> 2023-06-13 12:53:13 +0300
committer: GStreamer Marge Bot <gitlab-merge-bot@gstreamer-foundation.org> 2023-06-21 01:04:28 +0000
commit: 7632b0c2a004f28d6309a884c14b943278db8166 (patch)
tree: e3bb4fa4b4dce91b777b3236bf90b416e98bacf3
parent: b9a357db5ad779debeb22d5d294f79e1c9d11064 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index 8ce616ddf0..fc13890fbc 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -778,7 +778,7 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
     }
 
     if (*next_tag == '<' && *(next_tag + 1) == '/') {
-      end_tag = strchr (cur, '>');
+      end_tag = strchr (next_tag, '>');
       if (end_tag) {
         const gchar *last = NULL;
         if (num_open_tags > 0)
author	Sebastian Dröge <sebastian@centricular.com>	2023-06-13 12:53:13 +0300
committer	GStreamer Marge Bot <gitlab-merge-bot@gstreamer-foundation.org>	2023-06-21 01:04:28 +0000
commit	7632b0c2a004f28d6309a884c14b943278db8166 (patch)
tree	e3bb4fa4b4dce91b777b3236bf90b416e98bacf3
parent	b9a357db5ad779debeb22d5d294f79e1c9d11064 (diff)