This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit 8cae96eb624040952ed672cbfdd21e4a7f1dd107 Author: Michael Niedermayer <[email protected]> AuthorDate: Thu Feb 26 00:36:42 2026 +0100 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:05 2026 +0200 avutil/eval: Check depth of AVExpr we already check the depth of the parser but the AVExpr tree differs Fixes: stack exhaustion Fixes: YWH-PGM40646-39 Found-by: jpraveenrao Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit ed5040e6f58371514a7d2280aa4f76f879026885) Signed-off-by: Michael Niedermayer <[email protected]> --- libavutil/eval.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/libavutil/eval.c b/libavutil/eval.c index d0bada9b31..ade5b5acee 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -40,6 +40,8 @@ #include "timer.h" #include "reverse.h" +#define MAX_DEPTH 100 + typedef struct Parser { const AVClass *class; int stack_index; @@ -174,6 +176,7 @@ struct AVExpr { } a; struct AVExpr *param[3]; double *var; + int depth; }; static double etime(double v) @@ -422,6 +425,14 @@ static int parse_primary(AVExpr **e, Parser *p) } p->s++; // ")" + for (int i = 0; i<3; i++) + if (d->param[i]) + d->depth = FFMAX(d->depth, d->param[i]->depth+1); + if (d->depth > MAX_DEPTH) { + av_expr_free(d); + return AVERROR(EINVAL); + } + d->type = e_func0; if (strmatch(next, "sinh" )) d->a.func0 = sinh; else if (strmatch(next, "cosh" )) d->a.func0 = cosh; @@ -505,6 +516,9 @@ static int parse_primary(AVExpr **e, Parser *p) static AVExpr *make_eval_expr(int type, int value, AVExpr *p0, AVExpr *p1) { + int depth = FFMAX(p0->depth, p1->depth) + 1; + if (depth > MAX_DEPTH) + return NULL; AVExpr *e = av_mallocz(sizeof(AVExpr)); if (!e) return NULL; @@ -512,6 +526,7 @@ static AVExpr *make_eval_expr(int type, int value, AVExpr *p0, AVExpr *p1) e->value =value ; e->param[0] =p0 ; e->param[1] =p1 ; + e->depth = depth; return e; } _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
