[FFmpeg-user] How to preserve file time

James Ralston ralston at pobox.com
Mon Aug 19 18:40:52 EEST 2024 

On Mon, Aug 19, 2024 at 6:41 AM Reindl Harald <h.reindl at thelounge.net> wrote:

> Am 19.08.24 um 07:56 schrieb James Ralston:
>
> > The fact that ffmpeg does it this way [queries for the existence
> > of the output file itself) is a bug (albeit perhaps one of
> > convenience, since ffmpeg supports more operating systems than just
> > Unix/Linux)
>
> it doesn't at all
> with "-y" it just opens the file and that's it

I don’t understand what you’re attempting to refute.

ffmpeg *always* overwrites the output file, because none of the
functions that ultimately call avpriv_open() in libavutil/file_open.c
set O_EXCL in the flags to open().

ffmpeg *attempts* to prevent the user from overwriting an preexisting
output file, but it does so incorrectly, by manually testing for the
existence of the output file (unless -y is given) and (if stdin is
connected to a tty) prompting the user what to do.  Especially if the
user is prompted, this leaves an enormous window for a race condition
to occur.

The *correct* way to implement a safety feature for not overwriting a
preexisting output file is to do one and only one of the following:

1. If -y is specified, omit O_EXCL from the flags to open(); otherwise
   always include O_EXCL.  Remove the -n flag.

2. If -n is specified, include O_EXCL in the flags to open();
   otherwise never include O_EXCL.  Remove the -y flag.

Choice #1 (don’t overwrite unless the invoker declares it is
permissible to do so) matches the current (incorrectly-implemented)
behavior.

I suspect the reason why ffmpeg implements its current (incorrect)
behavior is because Windows lacks the Unix/Linux equivalent of O_EXCL.

But I would argue that in that case the correct answer is to remove
the race condition (that is, rip out the manual check), correctly use
O_EXCL on Unix/Linux systems, and tell Windows users that they should
use a better OS if they want to ensure that preexisting output files
aren’t overwritten.

Introducing a race condition (with potential security implications) to
compensate for an inadequate OS functionality is rarely a good choice.

More information about the ffmpeg-user mailing list