From 8356ca83948713430d0d2a646e7dbb619bd95a72 Mon Sep 17 00:00:00 2001
From: Michal Hlavinka <mhlavink@redhat.com>
Date: Fri, 23 Jul 2021 15:16:13 +0200
Subject: [PATCH] a crafted wav file could cause heap buffer overflow that
 allowed an arbitrary code execution (#1984320)

---
 libsndfile-1.0.31-deb669ee.patch | 21 +++++++++++++++++++++
 libsndfile.spec                  |  8 +++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 libsndfile-1.0.31-deb669ee.patch

diff --git a/libsndfile-1.0.31-deb669ee.patch b/libsndfile-1.0.31-deb669ee.patch
new file mode 100644
index 0000000..06c89b4
--- /dev/null
+++ b/libsndfile-1.0.31-deb669ee.patch
@@ -0,0 +1,21 @@
+diff --git a/src/ms_adpcm.c b/src/ms_adpcm.c
+index 5e8f1a31..a21cb994 100644
+--- a/src/ms_adpcm.c
++++ b/src/ms_adpcm.c
+@@ -128,8 +128,14 @@ wavlike_msadpcm_init	(SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ 	if (psf->file.mode == SFM_WRITE)
+ 		samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+ 
+-	if (blockalign < 7 * psf->sf.channels)
+-	{	psf_log_printf (psf, "*** Error blockalign (%d) should be > %d.\n", blockalign, 7 * psf->sf.channels) ;
++	/* There's 7 samples per channel in the preamble of each block */
++	if (samplesperblock < 7 * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++		return SFE_INTERNAL ;
++		} ;
++
++	if (2 * blockalign < samplesperblock * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
+ 		return SFE_INTERNAL ;
+ 		} ;
+ 
diff --git a/libsndfile.spec b/libsndfile.spec
index d3dc258..5e5cb30 100644
--- a/libsndfile.spec
+++ b/libsndfile.spec
@@ -1,12 +1,14 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.0.31
-Release:	4%{?dist}
+Release:	5%{?dist}%{?dist}
 License:	LGPLv2+ and GPLv2+ and BSD
 URL:		http://libsndfile.github.io/libsndfile/
 Source0:        https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2
 Patch0:		libsndfile-1.0.25-system-gsm.patch
 Patch1:		libsndfile-1.0.25-zerodivfix.patch
+# from upstream, fix #1984320=CVE-2021-3246, for <= 1.0.31
+Patch2:		libsndfile-1.0.31-deb669ee.patch
 BuildRequires:  gcc-c++
 BuildRequires:	alsa-lib-devel
 BuildRequires:	flac-devel
@@ -58,6 +60,7 @@ This package contains command line utilities for libsndfile.
 rm -r src/GSM610
 # TODO: check if this patch is still needed
 %patch1 -p1 -b .zerodivfix
+%patch2 -p1 -b .deb669ee
 
 %build
 autoreconf -I M4 -fiv # for system-gsm patch
@@ -149,6 +152,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
 
 
 %changelog
+* Fri Jul 23 2021 Michal Hlavinka <mhlavink@redhat.com> - 1.0.31-5
+- a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution (#1984320)
+
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.31-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild