sd_ass: fix use-after-free in ft->event_format

0b35b4c91796fb020e13d955efd450021eb5eedb originally introduced sd_filter
to make a more general subtitle filter infrastructure. But when doing
so, it directly sets ft->event_format to ass_track->event_format in the
struct. The lifetime of ass_track and the sd_filter are not equivalent
which makes it easy to trigger undefined behavior. Notably, commit
cda8f1613ff307a9e0b5528743f3e941b05dcee7 introduced assobjects_destroy
which can destroy ass_track anytime during runtime which means that the
string in ft->event_format is actually freed and should never be used.
Remedy this by simply doing a proper strdup when the filter inits with
ft as the parent so we avoid this scenario altogether. Fixex #13525.

1 files changed, 1 insertions, 1 deletions

diff --git a/sub/sd_ass.c b/sub/sd_ass.c
index e7eb740bd6..f1ab23bb55 100644
--- a/sub/sd_ass.c
+++ b/sub/sd_ass.c
@@ -184,7 +184,7 @@ static void filters_init(struct sd *sd)
             .opts = mp_get_config_group(ft, sd->global, &mp_sub_filter_opts),
             .driver = filters[n],
             .codec = "ass",
-            .event_format = ctx->ass_track->event_format,
+            .event_format = talloc_strdup(ft, ctx->ass_track->event_format),
         };
         if (ft->driver->init(ft)) {
             MP_TARRAY_APPEND(ctx, ctx->filters, ctx->num_filters, ft);