subparse: Fix non-closed tag handling.

Unclear what the goal was, but we could end up reading way past the next_tag.

Instead just move everything from after the end tag ('>') to the next_tag.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53040

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/3351>

1 files changed, 5 insertions, 3 deletions

diff --git a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
index d1236249f5..8ce616ddf0 100644
--- a/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
+++ b/subprojects/gst-plugins-base/gst/subparse/gstsubparse.c
@@ -785,9 +785,11 @@ subrip_fix_up_markup (gchar ** p_txt, gconstpointer allowed_tags_ptr)
           last = g_ptr_array_index (open_tags, num_open_tags - 1);
         if (num_open_tags == 0
             || g_ascii_strncasecmp (end_tag - 1, last, strlen (last))) {
-          GST_LOG ("broken input, closing tag '%s' is not open", end_tag - 1);
-          memmove (next_tag, end_tag + 1, strlen (end_tag) + 1);
-          next_tag -= strlen (end_tag);
+          GST_LOG ("broken input, closing tag '%s' is not open", next_tag);
+          /* Move everything after the tag end, including closing \0 */
+          memmove (next_tag, end_tag + 1, strlen (end_tag));
+          cur = next_tag;
+          continue;
         } else {
           --num_open_tags;
           g_ptr_array_remove_index (open_tags, num_open_tags);