CVE-2022-3957

Origin: https://github.com/gpac/gpac/commit/2191e66aa7df750e8ef01781b1930bea87b713bb
Reviewed-by: Aron Xu <aron@debian.org>
From 2191e66aa7df750e8ef01781b1930bea87b713bb Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Mon, 7 Nov 2022 08:59:52 +0100
Subject: [PATCH] fixed mem leak in sgv parse error

Gbp-Pq: Name CVE-2022-3957.patch

diff --git a/src/scene_manager/loader_svg.c b/src/scene_manager/loader_svg.c
index 021f0cdf8175d1c8f6d96939bf0253f561853547..c39b5d65b0587c7eeb35361b3c4e02553702e2d5 100644 (file)
--- a/src/scene_manager/loader_svg.c
+++ b/src/scene_manager/loader_svg.c
@@ -446,6 +446,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
                if (anim->to) {
                        /* now that we have a target, if there is a to value to parse, create the attribute and parse it */
                        gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_to, GF_TRUE, GF_FALSE, &info);
+                       if (!info.name) info.name = "to";
                        gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->to, anim_value_type);
                        if (anim_value_type==XMLRI_datatype) {
                                svg_post_process_href(parser, (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value);
@@ -454,6 +455,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
                if (anim->from) {
                        /* now that we have a target, if there is a from value to parse, create the attribute and parse it */
                        gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_from, GF_TRUE, GF_FALSE, &info);
+                       if (!info.name) info.name = "from";
                        gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->from, anim_value_type);
                        if (anim_value_type==XMLRI_datatype)
                                svg_post_process_href(parser,  (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value);
@@ -461,6 +463,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
                if (anim->by) {
                        /* now that we have a target, if there is a by value to parse, create the attribute and parse it */
                        gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_by, GF_TRUE, GF_FALSE, &info);
+                       if (!info.name) info.name = "by";
                        gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->by, anim_value_type);
                        if (anim_value_type==XMLRI_datatype)
                                svg_post_process_href(parser,  (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value);
@@ -468,6 +471,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
                if (anim->values) {
                        /* now that we have a target, if there is a 'values' value to parse, create the attribute and parse it */
                        gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_values, GF_TRUE, GF_FALSE, &info);
+                       if (!info.name) info.name = "values";
                        gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->values, anim_value_type);
                        if (anim_value_type==XMLRI_datatype) {
                                u32 i, count;
@@ -2110,13 +2114,13 @@ GF_Err load_svg_run(GF_SceneLoader *load)
 
        in_time = gf_sys_clock();
        e = gf_xml_sax_parse_file(parser->sax_parser, (const char *)load->fileName, svg_progress);
+       svg_flush_animations(parser);
+       gf_sm_svg_flush_state(parser);
        if (parser->last_error<0) e = parser->last_error;
-       
+
        if (e<0) return svg_report(parser, e, "Unable to parse file %s: %s", load->fileName, gf_xml_sax_get_error(parser->sax_parser) );
        GF_LOG(GF_LOG_INFO, GF_LOG_PARSER, ("[Parser] Scene parsed and Scene Graph built in %d ms\n", gf_sys_clock() - in_time));
 
-       svg_flush_animations(parser);
-       gf_sm_svg_flush_state(parser);
        return e;
 
 }

diff --git a/src/scenegraph/svg_attributes.c b/src/scenegraph/svg_attributes.c
index 9dd078f298b92831b294061074f5dd30ae949244..3b47eab0e59f16a170e0554fc9d42b99a94e4623 100644 (file)
--- a/src/scenegraph/svg_attributes.c
+++ b/src/scenegraph/svg_attributes.c
@@ -2906,7 +2906,7 @@ static void svg_parse_preserveaspectratio(SVG_PreserveAspectRatio *par, char *at
        while (*content == ' ') content++;
        if (strstr(content, "defer")) {
                par->defer = 1;
-               content += 4;
+               content += 5;
        } else {
                content = attribute_content;
        }
@@ -3446,8 +3446,8 @@ GF_Err gf_svg_parse_attribute(GF_Node *n, GF_FieldInfo *info, char *attribute_co
                *(SVG_String *)info->far_ptr = gf_strdup(attribute_content);
                break;
        default:
-               GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[SVG Parsing] Cannot parse attribute %s\n", info->name, gf_svg_attribute_type_to_string(info->fieldType)));
-               break;
+               GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[SVG Parsing] Cannot parse attribute \"%s\"\n", info->name, gf_svg_attribute_type_to_string(info->fieldType)));
+               return GF_OK;
        }
        return GF_OK;
 }