- Address boo#1223304/CVE-2023-51798: add patch

0001-avfilter-vf_minterpolate-Check-pts-before-division.patch OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/ffmpeg-4?expand=0&rev=211
2024-04-23 14:33:01 +00:00 · 2024-04-23 14:33:01 +00:00 · 6e1ca12e6b
commit 6e1ca12e6b
parent e66e889503
3 changed files with 47 additions and 0 deletions
--- a/0001-avfilter-vf_minterpolate-Check-pts-before-division.patch
+++ b/0001-avfilter-vf_minterpolate-Check-pts-before-division.patch
@ -0,0 +1,40 @@
+From 68146f06f852078866b3ef1564556e3a272920c7 Mon Sep 17 00:00:00 2001
+From: Michael Niedermayer <michael@niedermayer.cc>
+Date: Sat, 30 Dec 2023 02:51:32 +0100
+Subject: [PATCH] avfilter/vf_minterpolate: Check pts before division
+References: https://bugzilla.opensuse.org/1223304
+References: CVE-2023-51798
+
+Fixes: FPE
+Fixes: tickets/10758/poc20ffmpeg
+
+Discovered by Zeng Yunxiang
+
+Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+---
+ libavfilter/vf_minterpolate.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c
+index 9920210ece..b2242a15ee 100644
+--- a/libavfilter/vf_minterpolate.c
+++ b/libavfilter/vf_minterpolate.c
+@@ -1075,8 +1075,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out)
+     pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den,
+                                    (int64_t)             outlink->time_base.den * inlink->time_base.num);
+ 
+-    alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
+-    alpha = av_clip(alpha, 0, ALPHA_MAX);
+    if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) {
+        alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts);
+        alpha = av_clip(alpha, 0, ALPHA_MAX);
+    } else {
+        av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n");
+        alpha = 0;
+    }
+ 
+     if (alpha == 0 || alpha == ALPHA_MAX) {
+         av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf);
+-- 
+2.44.0
+
--- a/ffmpeg-4.changes
+++ b/ffmpeg-4.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Apr 23 14:25:53 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
+
+- Address boo#1223304/CVE-2023-51798: add patch
+  0001-avfilter-vf_minterpolate-Check-pts-before-division.patch
+
 -------------------------------------------------------------------
 Mon Apr 22 12:41:55 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

--- a/ffmpeg-4.spec
+++ b/ffmpeg-4.spec
@ -126,6 +126,7 @@ Patch12:        0001-avcodec-libsvtav1-remove-compressed_ten_bit_format-a.patch
 Patch13:        0001-avcodec-x86-mathops-clip-constants-used-with-shift-i.patch
 Patch14:        ffmpeg-glslang-cxx17.patch
 Patch15:        0001-avutil-hwcontext-Don-t-assume-frames_uninit-is-reent.patch
+Patch16:        0001-avfilter-vf_minterpolate-Check-pts-before-division.patch
 BuildRequires:  ladspa-devel
 BuildRequires:  libgsm-devel
 BuildRequires:  libmp3lame-devel