diff mbox series

[meta-oe,kirkstone,5/5] libass: patch CVE-2020-24994

Message ID 20260129063129.223926-5-skandigraun@gmail.com
State New
Headers show
Series [meta-python,kirkstone,1/5] python3-twitter: mark CVE-2012-5825 patched | expand

Commit Message

Gyorgy Sarvari Jan. 29, 2026, 6:31 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-24994

Backport the commit that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../libass/libass/CVE-2020-24994.patch        | 48 +++++++++++++++++++
 .../libass/libass_0.14.0.bb                   |  4 +-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch b/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch
new file mode 100644
index 0000000000..b0fc9297d8
--- /dev/null
+++ b/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch
@@ -0,0 +1,48 @@ 
+From 99eaa60314c4e28c2f0c295e165daf22c5601cc3 Mon Sep 17 00:00:00 2001
+From: Oleg Oshmyan <chortos@inbox.lv>
+Date: Thu, 4 Jan 2018 02:42:09 +0200
+Subject: [PATCH] parse_tags: don't recurse for nested \t()
+
+This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4892
+(stack overflow on deeply nested \t()).
+
+This is possible because parentheses do not nest and the first ')'
+terminates the whole tag. Thus something like \t(\t(\t(\t(\t() can be
+read in a simple loop with no recursion required. Recursion is also
+not required if the ')' is missing entirely and the outermost \t(...
+never ends.
+
+See https://github.com/libass/libass/pull/296 for more backstory.
+
+CVE: CVE-2020-24994
+Upstream-Status: Backport [https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libass/ass_parse.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libass/ass_parse.c b/libass/ass_parse.c
+index c83634a..991d1b6 100644
+--- a/libass/ass_parse.c
++++ b/libass/ass_parse.c
+@@ -650,8 +650,18 @@ char *parse_tag(ASS_Renderer *render_priv, char *p, char *end, double pwr)
+             k = pow(((double) (t - t1)) / delta_t, accel);
+         }
+         p = args[cnt].start;
+-        while (p < args[cnt].end)
+-            p = parse_tag(render_priv, p, args[cnt].end, k);    // maybe k*pwr ? no, specs forbid nested \t's
++        if (args[cnt].end < end) {
++            while (p < args[cnt].end)
++                p = parse_tag(render_priv, p, args[cnt].end, k);    // maybe k*pwr ? no, specs forbid nested \t's
++        } else {
++            assert(q == end);
++            // No other tags can possibly follow this \t tag,
++            // so we don't need to restore pwr after parsing \t.
++            // The recursive call is now essentially a tail call,
++            // so optimize it away.
++            pwr = k;
++            q = p;
++        }
+     } else if (complex_tag("clip")) {
+         if (nargs == 4) {
+             int x0, y0, x1, y1;
diff --git a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
index 0e62307363..f0579ba25f 100644
--- a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
+++ b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
@@ -7,7 +7,9 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=a42532a0684420bdb15556c3cdd49a75"
 
 DEPENDS = "enca fontconfig freetype libpng fribidi"
 
-SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https \
+           file://CVE-2020-24994.patch \
+           "
 SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17"
 S = "${WORKDIR}/git"