PR #22286 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22286 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22286.patch
we already check the depth of the parser but the AVExpr tree differs Fixes: stack exhaustion Fixes: YWH-PGM40646-39 Found-by: jpraveenrao Signed-off-by: Michael Niedermayer <[email protected]> >From b9313d585f0377ca84da050aa99a5801b172944a Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 26 Feb 2026 00:36:42 +0100 Subject: [PATCH] avutil/eval: Check depth of AVExpr we already check the depth of the parser but the AVExpr tree differs Fixes: stack exhaustion Fixes: YWH-PGM40646-39 Found-by: jpraveenrao Signed-off-by: Michael Niedermayer <[email protected]> --- libavutil/eval.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/libavutil/eval.c b/libavutil/eval.c index 8069ed88a2..c40b381aae 100644 --- a/libavutil/eval.c +++ b/libavutil/eval.c @@ -40,6 +40,8 @@ #include "avstring.h" #include "reverse.h" +#define MAX_DEPTH 100 + typedef struct Parser { const AVClass *class; int stack_index; @@ -176,6 +178,7 @@ struct AVExpr { struct AVExpr *param[3]; double *var; FFSFC64 *prng_state; + int depth; }; static double etime(double v) @@ -430,13 +433,16 @@ static int parse_primary(AVExpr **e, Parser *p) av_expr_free(d); return ret; } + d->depth = FFMAX(d->depth, d->param[0]->depth+1); if (p->s[0]== ',') { p->s++; // "," parse_expr(&d->param[1], p); + d->depth = FFMAX(d->depth, d->param[1]->depth+1); } if (p->s[0]== ',') { p->s++; // "," parse_expr(&d->param[2], p); + d->depth = FFMAX(d->depth, d->param[2]->depth+1); } if (p->s[0] != ')') { av_log(p, AV_LOG_ERROR, "Missing ')' or too many args in '%s'\n", s0); @@ -529,6 +535,9 @@ static int parse_primary(AVExpr **e, Parser *p) static AVExpr *make_eval_expr(int type, int value, AVExpr *p0, AVExpr *p1) { + int depth = FFMAX(p0->depth, p1->depth) + 1; + if (depth > MAX_DEPTH) + return NULL; AVExpr *e = av_mallocz(sizeof(AVExpr)); if (!e) return NULL; @@ -536,6 +545,7 @@ static AVExpr *make_eval_expr(int type, int value, AVExpr *p0, AVExpr *p1) e->value =value ; e->param[0] =p0 ; e->param[1] =p1 ; + e->depth = depth; return e; } -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
