[FFmpeg-cvslog] [ffmpeg] 40/127: fftools/ffmpeg_opt: limit recursion of presets

Tue, 05 May 2026 10:41:16 -0700 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch release/4.4
in repository ffmpeg.

commit 16d3a590627a23d491ee0952fec7d5f93dc1d1bd
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Thu Jan 22 21:11:34 2026 +0100
Commit:     Michael Niedermayer <[email protected]>
CommitDate: Tue May 5 18:55:01 2026 +0200

    fftools/ffmpeg_opt: limit recursion of presets
    
    Fixes: stack overflow
    
    This should have limited security impact as it requires access to arbitrary
    options.
    
    Found-by: Zhenpeng (Leo) Lin from depthfirst
    Signed-off-by: Michael Niedermayer <[email protected]>
    (cherry picked from commit 0833dd3665baede81ae700ae7e04a7c5143984af)
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 fftools/ffmpeg.h     | 1 +
 fftools/ffmpeg_opt.c | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/fftools/ffmpeg.h b/fftools/ffmpeg.h
index 606f2afe0c..81a21fbc48 100644
--- a/fftools/ffmpeg.h
+++ b/fftools/ffmpeg.h
@@ -93,6 +93,7 @@ typedef struct {
 
 typedef struct OptionsContext {
     OptionGroup *g;
+    int depth;
 
     /* input/output options */
     int64_t start_time;
diff --git a/fftools/ffmpeg_opt.c b/fftools/ffmpeg_opt.c
index feaf4faebb..eccfe106a5 100644
--- a/fftools/ffmpeg_opt.c
+++ b/fftools/ffmpeg_opt.c
@@ -3019,6 +3019,12 @@ static int opt_preset(void *optctx, const char *opt, 
const char *arg)
     FILE *f=NULL;
     char filename[1000], line[1000], tmp_line[1000];
     const char *codec_name = NULL;
+    int depth = o->depth;
+
+    if (depth > 2) {
+        av_log(NULL, AV_LOG_ERROR, "too deep recursion\n");
+        return AVERROR(EINVAL);
+    }
 
     tmp_line[0] = *opt;
     tmp_line[1] = 0;
@@ -3032,6 +3038,7 @@ static int opt_preset(void *optctx, const char *opt, 
const char *arg)
         exit_program(1);
     }
 
+    o->depth ++;
     while (fgets(line, sizeof(line), f)) {
         char *key = tmp_line, *value, *endptr;
 
@@ -3056,6 +3063,7 @@ static int opt_preset(void *optctx, const char *opt, 
const char *arg)
         }
     }
 
+    o->depth = depth;
     fclose(f);
 
     return 0;

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to