#11651: NULL Pointer Dereference in FFmpeg ffprobe
-------------------------------------+-------------------------------------
             Reporter:  momo-trip    |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:  7.1
  undetermined                       |
             Keywords:  NULL         |               Blocked By:
  pointer dereference                |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 # NULL Pointer Dereference in FFmpeg ffprobe

 Hi, we have found a NULL pointer dereference in ffprobe and would like to
 report this issue.
 Could you confirm if this qualifies as a security bug? I am happy to
 provide any additional information needed.

 ## Summary
 In ffprobe's special syntax `-/opt`, when no subsequent argument exists, a
 NULL pointer is passed, causing `open(NULL, ...)` to be called and
 resulting in abnormal termination. This is reproducible with input alone,
 and in service environments that automatically execute ffprobe, this
 constitutes a DoS attack.

 ## Details
 - **Vulnerability Type:** NULL Pointer Dereference arising from Improper
 Input Validation, CWE-20
 - **Product:** FFmpeg (ffprobe)
 - **Version:** 7.1.1 (commit f11962f, 2025-05-15)
 - **Configuration:** Default settings, no additional options
 - **Attack Vector:** Local CLI (arbitrary user input)
 - **Impact:** Process abnormal termination (service interruption)
 - **Privileges Required / User Interaction:** None required / Command
 execution only

 ## Reproduction
 ### Environment
 - **Operating System:** Ubuntu 22.04 LTS
 - **Architecture:** x86-64
 - **Compiler:** clang 15.0.7 + AddressSanitizer

 ### Reproduction Steps
 ```bash
 # Clone and build (ASan enabled)
 git clone https://github.com/FFmpeg/FFmpeg.git
 cd FFmpeg
 git checkout f11962f
 ./configure --enable-gpl \
             CC=clang CFLAGS="-fsanitize=address -g -O1" \
             LDFLAGS="-fsanitize=address"
 make -j$(nproc)

 # Crash examples
 ./ffprobe -/version
 ./ffprobe -/L
 ./ffprobe -/buildconf
 ```

 ### Crash Log
 ```bash
 Output (AddressSanitizer excerpt)
 ==7854==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
     #0 0x7f2b6c in open (/usr/lib/x86_64-linux-gnu/libc.so.6+0xfa6c)
     #1 0x5605fd in file_read fftools/cmdutils.c:272
     #2 0x5632ab in parse_option fftools/cmdutils.c:266
     #3 0x564de0 in parse_options fftools/cmdutils.c:448
     ...
 AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2b6c ...)
 ```

 ## Root Cause Analysis
 ### Affected Code
 https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L431
 https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L255
 ```c
 // parse_options() (approximately lines 431–441)
 opt = argv[optindex++];                 /* optindex is incremented */
 ...
 if ((ret = parse_option(optctx, opt, argv[optindex], options)) < 0)
     return ret;                         /* when optindex == argc,
 argv[...] is NULL */

 // write_option() (approximately lines 255–274)
 if (*opt == '/') {
     opt++;
     /* No validation for argument requirement or arg==NULL */
     arg_allocated = file_read(arg);     /* arg is NULL → open(NULL, ...)
 */
 }
 ```

 ## Impact Assessment
 - No elements of remote code execution or information disclosure are
 present.
 - However, in automated analysis services that launch ffprobe, it is
 possible to stop the process with a single malicious argument, affecting
 availability.

 ## Proposed Fix
 - Utilize `opt_has_arg(const OptionDef *po)` to reference `argv[optindex]`
 only for options that require arguments.
 - When `/` syntax is detected:
   - Check if the target option requires an argument; reject if not
 required.
   - If `arg == NULL`, return with "file not specified" error.

 ```c
 /* parse_options() */
 const OptionDef *po = find_option(options, name);
 if (po && opt_has_arg(po) && optindex >= argc) {
     av_log(NULL, AV_LOG_ERROR,
            "Missing argument for option '%s'\n", opt);
     return AVERROR(EINVAL);
 }

 /* -/ processing in write_option() */
 if (*opt == '/') {
     opt++;
     if (!opt_has_arg(po)) {
         av_log(NULL, AV_LOG_ERROR,
                "Option '%s' does not take an argument; '-/%s' is
 invalid\n",
                po->name, po->name);
         return AVERROR(EINVAL);
     }
     if (!arg) {
         av_log(NULL, AV_LOG_ERROR,
                "No file specified after '-/%s'\n", po->name);
         return AVERROR(EINVAL);
     }
 }
 ```
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11651>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to