NULL Pointer Dereference in FFmpeg ffprobe

[momo-trip]

# NULL Pointer Dereference in FFmpeg ffprobe

Hi, we have found a NULL pointer dereference in ffprobe and would like to report this issue.
Could you confirm if this qualifies as a security bug? I am happy to provide any additional information needed.

## Summary
In ffprobe's special syntax -/opt, when no subsequent argument exists, a NULL pointer is passed, causing open(NULL, ...) to be called and resulting in abnormal termination. This is reproducible with input alone, and in service environments that automatically execute ffprobe, this constitutes a DoS attack.

## Details

• Vulnerability Type: NULL Pointer Dereference arising from Improper Input Validation, CWE-20
• Product: FFmpeg (ffprobe)
• Version: 7.1.1 (commit f11962f, 2025-05-15)
• Configuration: Default settings, no additional options
• Attack Vector: Local CLI (arbitrary user input)
• Impact: Process abnormal termination (service interruption)
• Privileges Required / User Interaction: None required / Command execution only

## Reproduction
### Environment

• Operating System: Ubuntu 22.04 LTS
• Architecture: x86-64
• Compiler: clang 15.0.7 + AddressSanitizer

### Reproduction Steps
`bash
# Clone and build (ASan enabled)
git clone ​https://github.com/FFmpeg/FFmpeg.git
cd FFmpeg
git checkout f11962f
./configure --enable-gpl \

CC=clang CFLAGS="-fsanitize=address -g -O1" \
LDFLAGS="-fsanitize=address"

make -j$(nproc)

# Crash examples
./ffprobe -/version
./ffprobe -/L
./ffprobe -/buildconf
`

### Crash Log
`bash
Output (AddressSanitizer excerpt)
==7854==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000

#0 0x7f2b6c in open (/usr/lib/x86_64-linux-gnu/libc.so.6+0xfa6c)
#1 0x5605fd in file_read fftools/cmdutils.c:272
#2 0x5632ab in parse_option fftools/cmdutils.c:266
#3 0x564de0 in parse_options fftools/cmdutils.c:448
...

AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2b6c ...)
`

## Root Cause Analysis
### Affected Code
​https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L431
​https://github.com/FFmpeg/FFmpeg/blob/master/fftools/cmdutils.c#L255
`c
parse_options() (approximately lines 431–441)
opt = argv[optindex++]; /* optindex is incremented */
...
if ((ret = parse_option(optctx, opt, argv[optindex], options)) < 0)

return ret; /* when optindex == argc, argv[...] is NULL */

write_option() (approximately lines 255–274)
if (*opt == '/') {

opt++;
/* No validation for argument requirement or arg==NULL */
arg_allocated = file_read(arg); /* arg is NULL → open(NULL, ...) */

}
`

## Impact Assessment

• No elements of remote code execution or information disclosure are present.
• However, in automated analysis services that launch ffprobe, it is possible to stop the process with a single malicious argument, affecting availability.

## Proposed Fix

• Utilize opt_has_arg(const OptionDef *po) to reference argv[optindex] only for options that require arguments.
• When / syntax is detected:
  • Check if the target option requires an argument; reject if not required.
  • If arg == NULL, return with "file not specified" error.

`c
/* parse_options() */
const OptionDef *po = find_option(options, name);
if (po && opt_has_arg(po) && optindex >= argc) {

av_log(NULL, AV_LOG_ERROR,

"Missing argument for option '%s'\n", opt);

return AVERROR(EINVAL);

}

/* -/ processing in write_option() */
if (*opt == '/') {

opt++;
if (!opt_has_arg(po)) {

av_log(NULL, AV_LOG_ERROR,

"Option '%s' does not take an argument; '-/%s' is invalid\n",
po->name, po->name);

return AVERROR(EINVAL);

}
if (!arg) {

av_log(NULL, AV_LOG_ERROR,

"No file specified after '-/%s'\n", po->name);

return AVERROR(EINVAL);

}

}
`