From 23a7f795ec845a9e13a0fde20802c4408658cbdf Mon Sep 17 00:00:00 2001
From: Michel Alexandre Salim <salimma@fedoraproject.org>
Date: Wed, 7 Jul 2010 23:14:31 +0000
Subject: [PATCH] - Fix for channel per frame overflow (CVE-2009-0186, #488364)

---
 ...file-1.0.17-channels-per-frame-overflow.patch | 16 ++++++++++++++++
 libsndfile.spec                                  |  9 +++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 libsndfile-1.0.17-channels-per-frame-overflow.patch

diff --git a/libsndfile-1.0.17-channels-per-frame-overflow.patch b/libsndfile-1.0.17-channels-per-frame-overflow.patch
new file mode 100644
index 0000000..eea2d10
--- /dev/null
+++ b/libsndfile-1.0.17-channels-per-frame-overflow.patch
@@ -0,0 +1,16 @@
+diff -up libsndfile-1.0.17/src/caf.c.orig libsndfile-1.0.17/src/caf.c
+--- libsndfile-1.0.17/src/caf.c.orig	2006-08-31 11:22:07.000000000 +0200
++++ libsndfile-1.0.17/src/caf.c	2010-07-07 15:25:35.579607380 +0200
+@@ -282,6 +282,11 @@ caf_read_header (SF_PRIVATE *psf)
+ 			"  Frames / packet  : %u\n  Channels / frame : %u\n  Bits / channel   : %u\n",
+ 			desc.fmt_id, desc.fmt_flags, desc.pkt_bytes, desc.pkt_frames, desc.channels_per_frame, desc.bits_per_chan) ;
+ 
++	if (desc.channels_per_frame > 200)
++	{       psf_log_printf (psf, "**** Bad channels per frame value %u.\n", desc.channels_per_frame) ;
++		return SFE_MALFORMED_FILE ;
++		} ;
++
+ 	if (chunk_size > SIGNED_SIZEOF (DESC_CHUNK))
+ 		psf_binheader_readf (psf, "j", (int) (chunk_size - sizeof (DESC_CHUNK))) ;
+ 
+
diff --git a/libsndfile.spec b/libsndfile.spec
index 35921b0..3ecebdc 100644
--- a/libsndfile.spec
+++ b/libsndfile.spec
@@ -1,13 +1,14 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.0.17
-Release:	2%{?dist}
+Release:	3%{?dist}
 License:	LGPL
 Group:		System Environment/Libraries
 URL:		http://www.mega-nerd.com/libsndfile/
-Source0:	http://www.mega-nerd.com/libsndfile/libsndfile-%{version}.tar.gz
+Source0:	http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
 Patch0:         libsndfile-1.0.17+flac-1.1.3.patch
 Patch1:         libsndfile-1.0.17-flac-buffer-overflow.patch
+Patch2:		libsndfile-1.0.17-channels-per-frame-overflow.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-buildroot-%(%{__id_u} -n)
 
 BuildRequires:	alsa-lib-devel
@@ -35,6 +36,7 @@ This package contains files needed to develop with libsndfile.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure --disable-dependency-tracking
@@ -82,6 +84,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Thu Jul  8 2010 Michel Salim <salimma@fedoraproject.org> - 1.0.17-3
+- Fix for channel per frame overflow (CVE-2009-0186, #488364)
+
 * Thu Sep 20 2007 Andreas Thienemann <andreas@bawue.net> - 1.0.17-2
 - Adding FLAC support to libsndfile courtesy of gentoo, #237575
 - Fixing CVE-2007-4974. Thanks to the gentoo people for the patch, #296221