From 8ba6d8f7a9aa3b049b4706e3f26bb614e95f965a Mon Sep 17 00:00:00 2001 From: Dudemanguy Date: Thu, 29 Feb 2024 15:57:58 -0600 Subject: [PATCH] sd_ass: fix use-after-free in ft->event_format 0b35b4c91796fb020e13d955efd450021eb5eedb originally introduced sd_filter to make a more general subtitle filter infrastructure. But when doing so, it directly sets ft->event_format to ass_track->event_format in the struct. The lifetime of ass_track and the sd_filter are not equivalent which makes it easy to trigger undefined behavior. Notably, commit cda8f1613ff307a9e0b5528743f3e941b05dcee7 introduced assobjects_destroy which can destroy ass_track anytime during runtime which means that the string in ft->event_format is actually freed and should never be used. Remedy this by simply doing a proper strdup when the filter inits with ft as the parent so we avoid this scenario altogether. Fixex #13525. --- sub/sd_ass.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sub/sd_ass.c b/sub/sd_ass.c index e7eb740bd6..f1ab23bb55 100644 --- a/sub/sd_ass.c +++ b/sub/sd_ass.c @@ -184,7 +184,7 @@ static void filters_init(struct sd *sd) .opts = mp_get_config_group(ft, sd->global, &mp_sub_filter_opts), .driver = filters[n], .codec = "ass", - .event_format = ctx->ass_track->event_format, + .event_format = talloc_strdup(ft, ctx->ass_track->event_format), }; if (ft->driver->init(ft)) { MP_TARRAY_APPEND(ctx, ctx->filters, ctx->num_filters, ft);