fftools/ffmpeg_dec: deep-copy subtitle_header to fix use-after-free

Found-by: Zhen Yan
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit fa391e90fb)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

fftools/ffmpeg.h

@@ -448,7 +448,7 @@ typedef struct Decoder {
 
     enum AVMediaType type;
 
-    const uint8_t   *subtitle_header;
+    uint8_t         *subtitle_header;
     int              subtitle_header_size;
 
     // number of frames/samples retrieved from the decoder

fftools/ffmpeg_dec.c

@@ -136,6 +136,8 @@ void dec_free(Decoder **pdec)
         av_frame_free(&dp->sub_prev[i]);
     av_frame_free(&dp->sub_heartbeat);
 
+    av_freep(&dp->dec.subtitle_header);
+
     av_freep(&dp->parent_name);
 
     av_freep(&dp->views_requested);
@@ -1617,8 +1619,15 @@ static int dec_open(DecoderPriv *dp, AVDictionary **dec_opts,
             dp->dec_ctx->extra_hw_frames = extra_frames;
     }
 
-    dp->dec.subtitle_header      = dp->dec_ctx->subtitle_header;
-    dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size;
+    if (dp->dec_ctx->subtitle_header) {
+        /* ASS code assumes this buffer is null terminated so add extra byte. */
+        dp->dec.subtitle_header = av_mallocz(dp->dec_ctx->subtitle_header_size + 1);
+        if (!dp->dec.subtitle_header)
+            return AVERROR(ENOMEM);
+        memcpy(dp->dec.subtitle_header, dp->dec_ctx->subtitle_header,
+               dp->dec_ctx->subtitle_header_size);
+        dp->dec.subtitle_header_size = dp->dec_ctx->subtitle_header_size;
+    }
 
     if (param_out) {
         if (dp->dec_ctx->codec_type == AVMEDIA_TYPE_AUDIO) {