[FFmpeg-cvslog] [ffmpeg] 02/04: avutil/eval: Check depth of AVExpr

Mon, 02 Mar 2026 18:33:27 -0800 

This is an automated email from the git hooks/post-receive script.

Git pushed a commit to branch master
in repository ffmpeg.

commit ed5040e6f58371514a7d2280aa4f76f879026885
Author:     Michael Niedermayer <[email protected]>
AuthorDate: Thu Feb 26 00:36:42 2026 +0100
Commit:     Michael Niedermayer <[email protected]>
CommitDate: Tue Mar 3 03:28:37 2026 +0100

    avutil/eval: Check depth of AVExpr
    
    we already check the depth of the parser but the AVExpr tree differs
    
    Fixes: stack exhaustion
    Fixes: YWH-PGM40646-39
    
    Found-by: jpraveenrao
    Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavutil/eval.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/libavutil/eval.c b/libavutil/eval.c
index 8069ed88a2..a662e79b29 100644
--- a/libavutil/eval.c
+++ b/libavutil/eval.c
@@ -40,6 +40,8 @@
 #include "avstring.h"
 #include "reverse.h"
 
+#define MAX_DEPTH 100
+
 typedef struct Parser {
     const AVClass *class;
     int stack_index;
@@ -176,6 +178,7 @@ struct AVExpr {
     struct AVExpr *param[3];
     double *var;
     FFSFC64 *prng_state;
+    int depth;
 };
 
 static double etime(double v)
@@ -445,6 +448,14 @@ static int parse_primary(AVExpr **e, Parser *p)
     }
     p->s++; // ")"
 
+    for (int i = 0; i<3; i++)
+        if (d->param[i])
+            d->depth = FFMAX(d->depth, d->param[i]->depth+1);
+    if (d->depth > MAX_DEPTH) {
+        av_expr_free(d);
+        return AVERROR(EINVAL);
+    }
+
     d->type = e_func0;
          if (strmatch(next, "sinh"  )) d->a.func0 = sinh;
     else if (strmatch(next, "cosh"  )) d->a.func0 = cosh;
@@ -529,6 +540,9 @@ static int parse_primary(AVExpr **e, Parser *p)
 
 static AVExpr *make_eval_expr(int type, int value, AVExpr *p0, AVExpr *p1)
 {
+    int depth = FFMAX(p0->depth, p1->depth) + 1;
+    if (depth > MAX_DEPTH)
+        return NULL;
     AVExpr *e = av_mallocz(sizeof(AVExpr));
     if (!e)
         return NULL;
@@ -536,6 +550,7 @@ static AVExpr *make_eval_expr(int type, int value, AVExpr 
*p0, AVExpr *p1)
     e->value    =value  ;
     e->param[0] =p0     ;
     e->param[1] =p1     ;
+    e->depth    = depth;
     return e;
 }
 

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to