#11651: NULL Pointer Dereference in FFmpeg ffprobe -------------------------------------+------------------------------------- Reporter: momo-trip | Type: defect Status: new | Priority: normal Component: | Version: 7.1 undetermined | Keywords: NULL | Blocked By: pointer dereference | Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | -------------------------------------+------------------------------------- # NULL Pointer Dereference in FFmpeg ffprobe
Hi, we have found a NULL pointer dereference in ffprobe and would like to report this issue. Could you confirm if this qualifies as a security bug? I am happy to provide any additional information needed. ## Summary In ffprobe's special syntax `-/opt`, when no subsequent argument exists, a NULL pointer is passed, causing `open(NULL, ...)` to be called and resulting in abnormal termination. This is reproducible with input alone, and in service environments that automatically execute ffprobe, this constitutes a DoS attack. ## Details - **Vulnerability Type:** NULL Pointer Dereference arising from Improper Input Validation, CWE-20 - **Product:** FFmpeg (ffprobe) - **Version:** 7.1.1 (commit f11962f, 2025-05-15) - **Configuration:** Default settings, no additional options - **Attack Vector:** Local CLI (arbitrary user input) - **Impact:** Process abnormal termination (service interruption) - **Privileges Required / User Interaction:** None required / Command execution only ## Reproduction ### Environment - **Operating System:** Ubuntu 22.04 LTS - **Architecture:** x86-64 - **Compiler:** clang 15.0.7 + AddressSanitizer ### Reproduction Steps ```bash # Clone and build (ASan enabled) git clone https://github.com/FFmpeg/FFmpeg.git cd FFmpeg git checkout f11962f ./configure --enable-gpl \ CC=clang CFLAGS="-fsanitize=address -g -O1" \ LDFLAGS="-fsanitize=address" make -j$(nproc) # Crash examples ./ffprobe -/version ./ffprobe -/L ./ffprobe -/buildconf ``` ### Crash Log ```bash Output (AddressSanitizer excerpt) ==7854==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 #0 0x7f2b6c in open (/usr/lib/x86_64-linux-gnu/libc.so.6+0xfa6c) #1 0x5605fd in file_read fftools/cmdutils.c:272 #2 0x5632ab in parse_option fftools/cmdutils.c:266 #3 0x564de0 in parse_options fftools/cmdutils.c:448 ... AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2b6c ...) ``` ## Root Cause Analysis ### Affected Code https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L431 https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L255 ```c // parse_options() (approximately lines 431–441) opt = argv[optindex++]; /* optindex is incremented */ ... if ((ret = parse_option(optctx, opt, argv[optindex], options)) < 0) return ret; /* when optindex == argc, argv[...] is NULL */ // write_option() (approximately lines 255–274) if (*opt == '/') { opt++; /* No validation for argument requirement or arg==NULL */ arg_allocated = file_read(arg); /* arg is NULL → open(NULL, ...) */ } ``` ## Impact Assessment - No elements of remote code execution or information disclosure are present. - However, in automated analysis services that launch ffprobe, it is possible to stop the process with a single malicious argument, affecting availability. ## Proposed Fix - Utilize `opt_has_arg(const OptionDef *po)` to reference `argv[optindex]` only for options that require arguments. - When `/` syntax is detected: - Check if the target option requires an argument; reject if not required. - If `arg == NULL`, return with "file not specified" error. ```c /* parse_options() */ const OptionDef *po = find_option(options, name); if (po && opt_has_arg(po) && optindex >= argc) { av_log(NULL, AV_LOG_ERROR, "Missing argument for option '%s'\n", opt); return AVERROR(EINVAL); } /* -/ processing in write_option() */ if (*opt == '/') { opt++; if (!opt_has_arg(po)) { av_log(NULL, AV_LOG_ERROR, "Option '%s' does not take an argument; '-/%s' is invalid\n", po->name, po->name); return AVERROR(EINVAL); } if (!arg) { av_log(NULL, AV_LOG_ERROR, "No file specified after '-/%s'\n", po->name); return AVERROR(EINVAL); } } ``` -- Ticket URL: <https://trac.ffmpeg.org/ticket/11651> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
_______________________________________________ FFmpeg-trac mailing list FFmpeg-trac@avcodec.org https://ffmpeg.org/mailman/listinfo/ffmpeg-trac To unsubscribe, visit link above, or email ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".