PR #23325 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23325 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23325.patch
Found-by: Zhen Yan Signed-off-by: Michael Niedermayer <[email protected]> >From 4fdd377a55022e80735fde9edb346a87991c96af Mon Sep 17 00:00:00 2001 From: Zhen Yan <[email protected]> Date: Thu, 4 Jun 2026 01:49:41 +0200 Subject: [PATCH] fftools/ffmpeg_dec: deep-copy subtitle_header to fix use-after-free Found-by: Zhen Yan Signed-off-by: Michael Niedermayer <[email protected]> --- fftools/ffmpeg.h | 2 +- fftools/ffmpeg_dec.c | 13 +++++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h index 3a19e5878d..8c85f1ef7f 100644 --- a/fftools/ffmpeg.h +++ b/fftools/ffmpeg.h @@ -471,7 +471,7 @@ typedef struct Decoder { enum AVMediaType type; - const uint8_t *subtitle_header; + uint8_t *subtitle_header; int subtitle_header_size; // number of frames/samples retrieved from the decoder diff --git a/fftools/ffmpeg_dec.c b/fftools/ffmpeg_dec.c index 5020684a28..e424c0b17d 100644 --- a/fftools/ffmpeg_dec.c +++ b/fftools/ffmpeg_dec.c @@ -136,6 +136,8 @@ void dec_free(Decoder **pdec) av_frame_free(&dp->sub_prev[i]); av_frame_free(&dp->sub_heartbeat); + av_freep(&dp->dec.subtitle_header); + av_freep(&dp->parent_name); av_freep(&dp->views_requested); @@ -1621,8 +1623,15 @@ static int dec_open(DecoderPriv *dp, AVDictionary **dec_opts, dp->dec_ctx->extra_hw_frames = extra_frames; } - dp->dec.subtitle_header = dp->dec_ctx->subtitle_header; - dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size; + if (dp->dec_ctx->subtitle_header) { + /* ASS code assumes this buffer is null terminated so add extra byte. */ + dp->dec.subtitle_header = av_mallocz(dp->dec_ctx->subtitle_header_size + 1); + if (!dp->dec.subtitle_header) + return AVERROR(ENOMEM); + memcpy(dp->dec.subtitle_header, dp->dec_ctx->subtitle_header, + dp->dec_ctx->subtitle_header_size); + dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size; + } if (param_out) { if (dp->dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) { -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
