This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.0 in repository ffmpeg.
commit 82f8e69d52190ae36b0d9e747404a319ddad44f0 Author: Zhen Yan <[email protected]> AuthorDate: Thu Jun 4 01:49:41 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:59:12 2026 +0200 fftools/ffmpeg_dec: deep-copy subtitle_header to fix use-after-free Found-by: Zhen Yan Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit fa391e90fb00510e926e305d6f8067cadf0f4153) Signed-off-by: Michael Niedermayer <[email protected]> --- fftools/ffmpeg.h | 2 +- fftools/ffmpeg_dec.c | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h index 0756429c62..0e9b18a5ba 100644 --- a/fftools/ffmpeg.h +++ b/fftools/ffmpeg.h @@ -448,7 +448,7 @@ typedef struct Decoder { enum AVMediaType type; - const uint8_t *subtitle_header; + uint8_t *subtitle_header; int subtitle_header_size; // number of frames/samples retrieved from the decoder diff --git a/fftools/ffmpeg_dec.c b/fftools/ffmpeg_dec.c index 1d7158f995..cc9a99538c 100644 --- a/fftools/ffmpeg_dec.c +++ b/fftools/ffmpeg_dec.c @@ -136,6 +136,8 @@ void dec_free(Decoder **pdec) av_frame_free(&dp->sub_prev[i]); av_frame_free(&dp->sub_heartbeat); + av_freep(&dp->dec.subtitle_header); + av_freep(&dp->parent_name); av_freep(&dp->views_requested); @@ -1617,8 +1619,15 @@ static int dec_open(DecoderPriv *dp, AVDictionary **dec_opts, dp->dec_ctx->extra_hw_frames = extra_frames; } - dp->dec.subtitle_header = dp->dec_ctx->subtitle_header; - dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size; + if (dp->dec_ctx->subtitle_header) { + /* ASS code assumes this buffer is null terminated so add extra byte. */ + dp->dec.subtitle_header = av_mallocz(dp->dec_ctx->subtitle_header_size + 1); + if (!dp->dec.subtitle_header) + return AVERROR(ENOMEM); + memcpy(dp->dec.subtitle_header, dp->dec_ctx->subtitle_header, + dp->dec_ctx->subtitle_header_size); + dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size; + } if (param_out) { if (dp->dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) { _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
