diff options
author | Dudemanguy <random342@airmail.cc> | 2024-02-29 15:57:58 -0600 |
---|---|---|
committer | Dudemanguy <random342@airmail.cc> | 2024-02-29 15:57:58 -0600 |
commit | 8ba6d8f7a9aa3b049b4706e3f26bb614e95f965a (patch) | |
tree | d550f903f23595d20767b2f163a071f3e6aa7bc6 /player/audio.c | |
parent | dafced8a8adab9b0c7d87fa23609cc0dc3359b3a (diff) | |
download | mpv-8ba6d8f7a9aa3b049b4706e3f26bb614e95f965a.tar.bz2 mpv-8ba6d8f7a9aa3b049b4706e3f26bb614e95f965a.tar.xz |
sd_ass: fix use-after-free in ft->event_format
0b35b4c91796fb020e13d955efd450021eb5eedb originally introduced sd_filter
to make a more general subtitle filter infrastructure. But when doing
so, it directly sets ft->event_format to ass_track->event_format in the
struct. The lifetime of ass_track and the sd_filter are not equivalent
which makes it easy to trigger undefined behavior. Notably, commit
cda8f1613ff307a9e0b5528743f3e941b05dcee7 introduced assobjects_destroy
which can destroy ass_track anytime during runtime which means that the
string in ft->event_format is actually freed and should never be used.
Remedy this by simply doing a proper strdup when the filter inits with
ft as the parent so we avoid this scenario altogether. Fixex #13525.
Diffstat (limited to 'player/audio.c')
0 files changed, 0 insertions, 0 deletions