[FFmpeg-devel] [PATCH v2 5/5] avformat/chromaprint: Avoid null pointer dereference

[Andriy Gelman]

On Sun, 06. Oct 01:49, Andriy Gelman wrote:
> From: Andriy Gelman <andriy.gelman at gmail.com>
> 
> As of commit 21b2442f in the chromaprint library, selecting "-algorithm 2" via the ffmpeg cli creates a null pointer dereference. This can be replicated by:
> ./ffmpeg -f lavfi -i sine=d=20,asetnsamples=n=1000 -f chromaprint -algorithm 2 -
> 
> Until this issue is resolved, this commit makes ffmpeg output an error when
> "-algorithm 2" is selected for chromaprint versions > 1.2.0.
> ---
>  libavformat/chromaprint.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/libavformat/chromaprint.c b/libavformat/chromaprint.c
> index faa92ca0db..3ecce3e08a 100644
> --- a/libavformat/chromaprint.c
> +++ b/libavformat/chromaprint.c
> @@ -70,6 +70,13 @@ static int write_header(AVFormatContext *s)
>          return AVERROR(ENOMEM);
>      }
>  
> +#if CPR_VERSION_INT > AV_VERSION_INT(1, 2, 0)
> +    if (cpr->algorithm == CHROMAPRINT_ALGORITHM_TEST3) {
> +        av_log(s, AV_LOG_ERROR, "Algorithm 2 cannot be used with chromaprint version > 1.2.0 because of a bug in the chromaprint library\n");
> +        goto fail;
> +    }
> +#endif
> +
>      if (cpr->silence_threshold != -1) {
>  #if CPR_VERSION_INT >= AV_VERSION_INT(0, 7, 0)
>          if (!chromaprint_set_option(cpr->ctx, "silence_threshold", cpr->silence_threshold)) {
> -- 
> 2.23.0
> 

The seg fault actually occurs in libavcodec/avfft.c in the
av_rdft_calc(RDFTContext *s, FFTSample *data) function, where chromaprint lib parses an unitialized context s=NULL. 

Is it worth submitting a patch where contexts are checked before dereferencing
in avfft.c? 

--
Andriy