mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

libass: patch CVE-2020-24994

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-24994

Backport the commit that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
2026-01-29 07:31:29 +01:00
parent ef6ef1492c
commit 44247b3cb0
2 changed files with 51 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch
+48
View File
@@ -0,0 +1,48 @@
From 99eaa60314c4e28c2f0c295e165daf22c5601cc3 Mon Sep 17 00:00:00 2001
From: Oleg Oshmyan <chortos@inbox.lv>
Date: Thu, 4 Jan 2018 02:42:09 +0200
Subject: [PATCH] parse_tags: don't recurse for nested \t()
This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4892
(stack overflow on deeply nested \t()).
This is possible because parentheses do not nest and the first ')'
terminates the whole tag. Thus something like \t(\t(\t(\t(\t() can be
read in a simple loop with no recursion required. Recursion is also
not required if the ')' is missing entirely and the outermost \t(...
never ends.
See https://github.com/libass/libass/pull/296 for more backstory.
CVE: CVE-2020-24994
Upstream-Status: Backport [https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
libass/ass_parse.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/libass/ass_parse.c b/libass/ass_parse.c
index c83634a..991d1b6 100644
--- a/libass/ass_parse.c
+++ b/libass/ass_parse.c
@@ -650,8 +650,18 @@ char *parse_tag(ASS_Renderer *render_priv, char *p, char *end, double pwr)
k = pow(((double) (t - t1)) / delta_t, accel);
}
p = args[cnt].start;
- while (p < args[cnt].end)
- p = parse_tag(render_priv, p, args[cnt].end, k); // maybe k*pwr ? no, specs forbid nested \t's
+ if (args[cnt].end < end) {
+ while (p < args[cnt].end)
+ p = parse_tag(render_priv, p, args[cnt].end, k); // maybe k*pwr ? no, specs forbid nested \t's
+ } else {
+ assert(q == end);
+ // No other tags can possibly follow this \t tag,
+ // so we don't need to restore pwr after parsing \t.
+ // The recursive call is now essentially a tail call,
+ // so optimize it away.
+ pwr = k;
+ q = p;
+ }
} else if (complex_tag("clip")) {
if (nargs == 4) {
int x0, y0, x1, y1;
meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
+3 -1
View File
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a42532a0684420bdb15556c3cdd49a75"
DEPENDS = "enca fontconfig freetype libpng fribidi" DEPENDS = "enca fontconfig freetype libpng fribidi"
SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https" SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https \
file://CVE-2020-24994.patch \
"
SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17" SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"