sd_ass: fix use-after-free in ft->event_format

0b35b4c917 originally introduced sd_filter to make a more general subtitle filter infrastructure. But when doing so, it directly sets ft->event_format to ass_track->event_format in the struct. The lifetime of ass_track and the sd_filter are not equivalent which makes it easy to trigger undefined behavior. Notably, commit cda8f1613f introduced assobjects_destroy which can destroy ass_track anytime during runtime which means that the string in ft->event_format is actually freed and should never be used. Remedy this by simply doing a proper strdup when the filter inits with ft as the parent so we avoid this scenario altogether. Fixex #13525.
2024-02-29 15:57:58 -06:00 · 2024-02-29 15:57:58 -06:00 · 8ba6d8f7a9
parent dafced8a8a
commit 8ba6d8f7a9
1 changed files with 1 additions and 1 deletions
--- a/sub/sd_ass.c
+++ b/sub/sd_ass.c
@ -184,7 +184,7 @@ static void filters_init(struct sd *sd)
            .opts = mp_get_config_group(ft, sd->global, &mp_sub_filter_opts),
            .driver = filters[n],
            .codec = "ass",
-            .event_format = ctx->ass_track->event_format,
+            .event_format = talloc_strdup(ft, ctx->ass_track->event_format),
        };
        if (ft->driver->init(ft)) {
            MP_TARRAY_APPEND(ctx, ctx->filters, ctx->num_filters, ft);