From: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Date: Mon, 19 Jun 2023 21:46:06 +0000 (+0100)
Subject: CVE-2022-3957
X-Git-Tag: archive/raspbian/1.0.1+dfsg1-4+rpi1+deb11u3^2~41
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=0a33c60af435d3412bfac98088aa3d18672b5229;p=gpac.git

CVE-2022-3957

Origin: https://github.com/gpac/gpac/commit/2191e66aa7df750e8ef01781b1930bea87b713bb
Reviewed-by: Aron Xu <aron@debian.org>

From 2191e66aa7df750e8ef01781b1930bea87b713bb Mon Sep 17 00:00:00 2001
From: jeanlf <jeanlf@gpac.io>
Date: Mon, 7 Nov 2022 08:59:52 +0100
Subject: [PATCH] fixed mem leak in sgv parse error


Gbp-Pq: Name CVE-2022-3957.patch
---

diff --git a/src/scene_manager/loader_svg.c b/src/scene_manager/loader_svg.c
index 021f0cd..c39b5d6 100644
--- a/src/scene_manager/loader_svg.c
+++ b/src/scene_manager/loader_svg.c
@@ -446,6 +446,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
 		if (anim->to) {
 			/* now that we have a target, if there is a to value to parse, create the attribute and parse it */
 			gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_to, GF_TRUE, GF_FALSE, &info);
+			if (!info.name) info.name = "to";
 			gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->to, anim_value_type);
 			if (anim_value_type==XMLRI_datatype) {
 				svg_post_process_href(parser, (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value);
@@ -454,6 +455,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
 		if (anim->from) {
 			/* now that we have a target, if there is a from value to parse, create the attribute and parse it */
 			gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_from, GF_TRUE, GF_FALSE, &info);
+			if (!info.name) info.name = "from";
 			gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->from, anim_value_type);
 			if (anim_value_type==XMLRI_datatype)
 				svg_post_process_href(parser,  (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value);
@@ -461,6 +463,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
 		if (anim->by) {
 			/* now that we have a target, if there is a by value to parse, create the attribute and parse it */
 			gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_by, GF_TRUE, GF_FALSE, &info);
+			if (!info.name) info.name = "by";
 			gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->by, anim_value_type);
 			if (anim_value_type==XMLRI_datatype)
 				svg_post_process_href(parser,  (GF_Node *) anim->target, (XMLRI*)((SMIL_AnimateValue *)info.far_ptr)->value);
@@ -468,6 +471,7 @@ static Bool svg_parse_animation(GF_SVG_Parser *parser, GF_SceneGraph *sg, SVG_De
 		if (anim->values) {
 			/* now that we have a target, if there is a 'values' value to parse, create the attribute and parse it */
 			gf_node_get_attribute_by_tag((GF_Node *)anim->animation_elt, TAG_SVG_ATT_values, GF_TRUE, GF_FALSE, &info);
+			if (!info.name) info.name = "values";
 			gf_svg_parse_attribute((GF_Node *)anim->animation_elt, &info, anim->values, anim_value_type);
 			if (anim_value_type==XMLRI_datatype) {
 				u32 i, count;
@@ -2110,13 +2114,13 @@ GF_Err load_svg_run(GF_SceneLoader *load)
 
 	in_time = gf_sys_clock();
 	e = gf_xml_sax_parse_file(parser->sax_parser, (const char *)load->fileName, svg_progress);
+	svg_flush_animations(parser);
+	gf_sm_svg_flush_state(parser);
 	if (parser->last_error<0) e = parser->last_error;
-	
+
 	if (e<0) return svg_report(parser, e, "Unable to parse file %s: %s", load->fileName, gf_xml_sax_get_error(parser->sax_parser) );
 	GF_LOG(GF_LOG_INFO, GF_LOG_PARSER, ("[Parser] Scene parsed and Scene Graph built in %d ms\n", gf_sys_clock() - in_time));
 
-	svg_flush_animations(parser);
-	gf_sm_svg_flush_state(parser);
 	return e;
 
 }
diff --git a/src/scenegraph/svg_attributes.c b/src/scenegraph/svg_attributes.c
index 9dd078f..3b47eab 100644
--- a/src/scenegraph/svg_attributes.c
+++ b/src/scenegraph/svg_attributes.c
@@ -2906,7 +2906,7 @@ static void svg_parse_preserveaspectratio(SVG_PreserveAspectRatio *par, char *at
 	while (*content == ' ') content++;
 	if (strstr(content, "defer")) {
 		par->defer = 1;
-		content += 4;
+		content += 5;
 	} else {
 		content = attribute_content;
 	}
@@ -3446,8 +3446,8 @@ GF_Err gf_svg_parse_attribute(GF_Node *n, GF_FieldInfo *info, char *attribute_co
 		*(SVG_String *)info->far_ptr = gf_strdup(attribute_content);
 		break;
 	default:
-		GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[SVG Parsing] Cannot parse attribute %s\n", info->name, gf_svg_attribute_type_to_string(info->fieldType)));
-		break;
+		GF_LOG(GF_LOG_WARNING, GF_LOG_PARSER, ("[SVG Parsing] Cannot parse attribute \"%s\"\n", info->name, gf_svg_attribute_type_to_string(info->fieldType)));
+		return GF_OK;
 	}
 	return GF_OK;
 }