[FFmpeg-cvslog] [ffmpeg] fftools/ffmpeg_dec: deep-copy subtitle_header to fix use-after-free (branch master)

Thu, 11 Jun 2026 17:45:53 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

The following commit(s) were added to refs/heads/master by this push:
     new fa391e90fb fftools/ffmpeg_dec: deep-copy subtitle_header to fix 
use-after-free
fa391e90fb is described below

commit fa391e90fb00510e926e305d6f8067cadf0f4153
Author:     Zhen Yan <[email protected]>
AuthorDate: Thu Jun 4 01:49:41 2026 +0200
Commit:     michaelni <[email protected]>
CommitDate: Fri Jun 12 00:45:29 2026 +0000

    fftools/ffmpeg_dec: deep-copy subtitle_header to fix use-after-free
    
    Found-by: Zhen Yan
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 fftools/ffmpeg.h     |  2 +-
 fftools/ffmpeg_dec.c | 13 +++++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h
index 3a19e5878d..8c85f1ef7f 100644
--- a/fftools/ffmpeg.h
+++ b/fftools/ffmpeg.h
@@ -471,7 +471,7 @@ typedef struct Decoder {
 
     enum AVMediaType type;
 
-    const uint8_t   *subtitle_header;
+    uint8_t         *subtitle_header;
     int              subtitle_header_size;
 
     // number of frames/samples retrieved from the decoder
diff --git a/fftools/ffmpeg_dec.c b/fftools/ffmpeg_dec.c
index 5020684a28..e424c0b17d 100644
--- a/fftools/ffmpeg_dec.c
+++ b/fftools/ffmpeg_dec.c
@@ -136,6 +136,8 @@ void dec_free(Decoder **pdec)
         av_frame_free(&dp->sub_prev[i]);
     av_frame_free(&dp->sub_heartbeat);
 
+    av_freep(&dp->dec.subtitle_header);
+
     av_freep(&dp->parent_name);
 
     av_freep(&dp->views_requested);
@@ -1621,8 +1623,15 @@ static int dec_open(DecoderPriv *dp, AVDictionary 
**dec_opts,
             dp->dec_ctx->extra_hw_frames = extra_frames;
     }
 
-    dp->dec.subtitle_header      = dp->dec_ctx->subtitle_header;
-    dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size;
+    if (dp->dec_ctx->subtitle_header) {
+        /* ASS code assumes this buffer is null terminated so add extra byte. 
*/
+        dp->dec.subtitle_header = av_mallocz(dp->dec_ctx->subtitle_header_size 
+ 1);
+        if (!dp->dec.subtitle_header)
+            return AVERROR(ENOMEM);
+        memcpy(dp->dec.subtitle_header, dp->dec_ctx->subtitle_header,
+               dp->dec_ctx->subtitle_header_size);
+        dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size;
+    }
 
     if (param_out) {
         if (dp->dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) {

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to