From 68146f06f852078866b3ef1564556e3a272920c7 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 30 Dec 2023 02:51:32 +0100 Subject: [PATCH] avfilter/vf_minterpolate: Check pts before division References: https://bugzilla.opensuse.org/1223304 References: CVE-2023-51798 Fixes: FPE Fixes: tickets/10758/poc20ffmpeg Discovered by Zeng Yunxiang Signed-off-by: Michael Niedermayer --- libavfilter/vf_minterpolate.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libavfilter/vf_minterpolate.c b/libavfilter/vf_minterpolate.c index 9920210ece..b2242a15ee 100644 --- a/libavfilter/vf_minterpolate.c +++ b/libavfilter/vf_minterpolate.c @@ -1075,8 +1075,13 @@ static void interpolate(AVFilterLink *inlink, AVFrame *avf_out) pts = av_rescale(avf_out->pts, (int64_t) ALPHA_MAX * outlink->time_base.num * inlink->time_base.den, (int64_t) outlink->time_base.den * inlink->time_base.num); - alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); - alpha = av_clip(alpha, 0, ALPHA_MAX); + if (mi_ctx->frames[2].avf->pts > mi_ctx->frames[1].avf->pts) { + alpha = (pts - mi_ctx->frames[1].avf->pts * ALPHA_MAX) / (mi_ctx->frames[2].avf->pts - mi_ctx->frames[1].avf->pts); + alpha = av_clip(alpha, 0, ALPHA_MAX); + } else { + av_log(ctx, AV_LOG_DEBUG, "duplicate input PTS detected\n"); + alpha = 0; + } if (alpha == 0 || alpha == ALPHA_MAX) { av_frame_copy(avf_out, alpha ? mi_ctx->frames[2].avf : mi_ctx->frames[1].avf); -- 2.44.0