#11651: NULL Pointer Dereference in FFmpeg ffprobe
-------------------------------------+-------------------------------------
Reporter: momo-trip | Type: defect
Status: new | Priority: normal
Component: | Version: 7.1
undetermined |
Keywords: NULL | Blocked By:
pointer dereference |
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
# NULL Pointer Dereference in FFmpeg ffprobe
Hi, we have found a NULL pointer dereference in ffprobe and would like to
report this issue.
Could you confirm if this qualifies as a security bug? I am happy to
provide any additional information needed.
## Summary
In ffprobe's special syntax `-/opt`, when no subsequent argument exists, a
NULL pointer is passed, causing `open(NULL, ...)` to be called and
resulting in abnormal termination. This is reproducible with input alone,
and in service environments that automatically execute ffprobe, this
constitutes a DoS attack.
## Details
- **Vulnerability Type:** NULL Pointer Dereference arising from Improper
Input Validation, CWE-20
- **Product:** FFmpeg (ffprobe)
- **Version:** 7.1.1 (commit f11962f, 2025-05-15)
- **Configuration:** Default settings, no additional options
- **Attack Vector:** Local CLI (arbitrary user input)
- **Impact:** Process abnormal termination (service interruption)
- **Privileges Required / User Interaction:** None required / Command
execution only
## Reproduction
### Environment
- **Operating System:** Ubuntu 22.04 LTS
- **Architecture:** x86-64
- **Compiler:** clang 15.0.7 + AddressSanitizer
### Reproduction Steps
```bash
# Clone and build (ASan enabled)
git clone https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
git checkout f11962f
./configure --enable-gpl \
CC=clang CFLAGS="-fsanitize=address -g -O1" \
LDFLAGS="-fsanitize=address"
make -j$(nproc)
# Crash examples
./ffprobe -/version
./ffprobe -/L
./ffprobe -/buildconf
```
### Crash Log
```bash
Output (AddressSanitizer excerpt)
==7854==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
#0 0x7f2b6c in open (/usr/lib/x86_64-linux-gnu/libc.so.6+0xfa6c)
#1 0x5605fd in file_read fftools/cmdutils.c:272
#2 0x5632ab in parse_option fftools/cmdutils.c:266
#3 0x564de0 in parse_options fftools/cmdutils.c:448
...
AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2b6c ...)
```
## Root Cause Analysis
### Affected Code
https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L431
https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L255
```c
// parse_options() (approximately lines 431–441)
opt = argv[optindex++]; /* optindex is incremented */
...
if ((ret = parse_option(optctx, opt, argv[optindex], options)) < 0)
return ret; /* when optindex == argc,
argv[...] is NULL */
// write_option() (approximately lines 255–274)
if (*opt == '/') {
opt++;
/* No validation for argument requirement or arg==NULL */
arg_allocated = file_read(arg); /* arg is NULL → open(NULL, ...)
*/
}
```
## Impact Assessment
- No elements of remote code execution or information disclosure are
present.
- However, in automated analysis services that launch ffprobe, it is
possible to stop the process with a single malicious argument, affecting
availability.
## Proposed Fix
- Utilize `opt_has_arg(const OptionDef *po)` to reference `argv[optindex]`
only for options that require arguments.
- When `/` syntax is detected:
- Check if the target option requires an argument; reject if not
required.
- If `arg == NULL`, return with "file not specified" error.
```c
/* parse_options() */
const OptionDef *po = find_option(options, name);
if (po && opt_has_arg(po) && optindex >= argc) {
av_log(NULL, AV_LOG_ERROR,
"Missing argument for option '%s'\n", opt);
return AVERROR(EINVAL);
}
/* -/ processing in write_option() */
if (*opt == '/') {
opt++;
if (!opt_has_arg(po)) {
av_log(NULL, AV_LOG_ERROR,
"Option '%s' does not take an argument; '-/%s' is
invalid\n",
po->name, po->name);
return AVERROR(EINVAL);
}
if (!arg) {
av_log(NULL, AV_LOG_ERROR,
"No file specified after '-/%s'\n", po->name);
return AVERROR(EINVAL);
}
}
```
--
Ticket URL: <https://trac.ffmpeg.org/ticket/11651>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
[email protected]
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac
To unsubscribe, visit link above, or email
[email protected] with subject "unsubscribe".
