[Bug] Use-After-Free in switch_output_file due to dangling pointer when get_basename fails

[RigelYoung]

A Use-After-Free (UAF) vulnerability exists in the switch_output_file function within src/lib_ccx/ccx_encoders_common.c.

When switching output files, the existing enc_ctx->out->filename is freed. However, if the subsequent call to get_basename() returns NULL (e.g., due to memory allocation failure or a NULL original_filename), the pointer enc_ctx->out->filename is never reassigned. This leaves a dangling pointer that is later passed to write_subtitle_file_header() and ultimately dereferenced in spunpg_init(), leading to a Use-After-Free.

Execution Flow / Root Cause:

1. Free: In switch_output_file, the memory pointed to by enc_ctx->out->filename is freed.

if (enc_ctx->out->filename != NULL)
{
    free(enc_ctx->out->filename); // [1] Memory is freed here
    close(enc_ctx->out->fh);
}

2. Missing Reassignment: The function attempts to generate a new basename. If get_basename() returns NULL, the if (basename != NULL) block is skipped. enc_ctx->out->filename is not updated and remains a dangling pointer.

char *basename = get_basename(enc_ctx->out->original_filename);
   if (basename != NULL) // [2] If basename is NULL, reassignment is skipped
   {
       enc_ctx->out->filename = create_outfilename(basename, suffix, ext);
       ...
   }

3. Use: The dangling pointer is immediately passed down the call stack and used.

// [3] write_subtitle_file_header is called with the context containing the dangling pointer
   write_subtitle_file_header(enc_ctx, enc_ctx->out); 
   // Trace: write_subtitle_file_header -> write_spumux_header -> spunpg_init (UAF triggered here)