libass: patch CVE-2020-24994

Details: https://nvd.nist.gov/vuln/detail/CVE-2020-24994 Backport the commit that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-05-18 18:41:55 +00:00 · 2026-01-29 07:31:29 +01:00 · 2026-01-29 07:31:29 +01:00 · 44247b3cb0
commit 44247b3cb0
parent ef6ef1492c
2 changed files with 51 additions and 1 deletions
--- a/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch
+++ b/meta-oe/recipes-multimedia/libass/libass/CVE-2020-24994.patch
@ -0,0 +1,48 @@
+From 99eaa60314c4e28c2f0c295e165daf22c5601cc3 Mon Sep 17 00:00:00 2001
+From: Oleg Oshmyan <chortos@inbox.lv>
+Date: Thu, 4 Jan 2018 02:42:09 +0200
+Subject: [PATCH] parse_tags: don't recurse for nested \t()
+
+This fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4892
+(stack overflow on deeply nested \t()).
+
+This is possible because parentheses do not nest and the first ')'
+terminates the whole tag. Thus something like \t(\t(\t(\t(\t() can be
+read in a simple loop with no recursion required. Recursion is also
+not required if the ')' is missing entirely and the outermost \t(...
+never ends.
+
+See https://github.com/libass/libass/pull/296 for more backstory.
+
+CVE: CVE-2020-24994
+Upstream-Status: Backport [https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ libass/ass_parse.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/libass/ass_parse.c b/libass/ass_parse.c
+index c83634a..991d1b6 100644
+--- a/libass/ass_parse.c
+++ b/libass/ass_parse.c
+@@ -650,8 +650,18 @@ char *parse_tag(ASS_Renderer *render_priv, char *p, char *end, double pwr)
+             k = pow(((double) (t - t1)) / delta_t, accel);
+         }
+         p = args[cnt].start;
+-        while (p < args[cnt].end)
+-            p = parse_tag(render_priv, p, args[cnt].end, k);    // maybe k*pwr ? no, specs forbid nested \t's
+        if (args[cnt].end < end) {
+            while (p < args[cnt].end)
+                p = parse_tag(render_priv, p, args[cnt].end, k);    // maybe k*pwr ? no, specs forbid nested \t's
+        } else {
+            assert(q == end);
+            // No other tags can possibly follow this \t tag,
+            // so we don't need to restore pwr after parsing \t.
+            // The recursive call is now essentially a tail call,
+            // so optimize it away.
+            pwr = k;
+            q = p;
+        }
+     } else if (complex_tag("clip")) {
+         if (nargs == 4) {
+             int x0, y0, x1, y1;
--- a/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
+++ b/meta-oe/recipes-multimedia/libass/libass_0.14.0.bb
@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=a42532a0684420bdb15556c3cdd49a75"

 DEPENDS = "enca fontconfig freetype libpng fribidi"

-SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https"
+SRC_URI = "git://github.com/libass/libass.git;branch=master;protocol=https \
+           file://CVE-2020-24994.patch \
+           "
 SRCREV = "73284b676b12b47e17af2ef1b430527299e10c17"
 S = "${WORKDIR}/git"