fix incomplete patch for CVE-2015-7805

crafted AIFF header

libsndfile-1.0.25-53c9f0bcaf20203bb4ee56da760a6e5118e6f93b.patch

@@ -0,0 +1,22 @@
+From 53c9f0bcaf20203bb4ee56da760a6e5118e6f93b Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Mon, 9 Nov 2015 19:18:48 +1100
+Subject: [PATCH] src/common.c: Pull fix from 1.0.25
+
+---
+ src/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/common.c b/src/common.c
+index c6b88cc..830c43e 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -805,7 +805,7 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
+ 	if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
+ 	{	int most ;
+ 
+-		most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
++		most = SIGNED_SIZEOF (psf->header) - psf->headend ;
+ 		psf_fread (psf->header + psf->headend, 1, most, psf) ;
+ 		memcpy (ptr, psf->header + psf->headend, most) ;
+ 		psf->headend = psf->headindex += most ;

libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch

@@ -0,0 +1,90 @@
+From d2a87385c1ca1d72918e9a2875d24f202a5093e8 Mon Sep 17 00:00:00 2001
+From: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date: Sat, 7 Feb 2015 15:45:10 +1100
+Subject: [PATCH] src/common.c : Fix a header parsing bug.
+
+When the file header is bigger that SF_HEADER_LEN, the code would seek
+instead of reading causing file parse errors.
+
+The current header parsing and writing code *badly* needs a re-write.
+---
+ src/common.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+diff --git a/src/common.c b/src/common.c
+index dd4edb7..c6b88cc 100644
+--- a/src/common.c
++++ b/src/common.c
+@@ -1,5 +1,5 @@
+ /*
+-** Copyright (C) 1999-2011 Erik de Castro Lopo <erikd@mega-nerd.com>
++** Copyright (C) 1999-2015 Erik de Castro Lopo <erikd@mega-nerd.com>
+ **
+ ** This program is free software; you can redistribute it and/or modify
+ ** it under the terms of the GNU Lesser General Public License as published by
+@@ -800,21 +800,16 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
+ {	int count = 0 ;
+ 
+ 	if (psf->headindex >= SIGNED_SIZEOF (psf->header))
+-	{	memset (ptr, 0, SIGNED_SIZEOF (psf->header) - psf->headindex) ;
+-
+-		/* This is the best that we can do. */
+-		psf_fseek (psf, bytes, SEEK_CUR) ;
+-		return bytes ;
+-		} ;
++		return psf_fread (ptr, 1, bytes, psf) ;
+ 
+ 	if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
+ 	{	int most ;
+ 
+ 		most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
+ 		psf_fread (psf->header + psf->headend, 1, most, psf) ;
+-		memset ((char *) ptr + most, 0, bytes - most) ;
+-
+-		psf_fseek (psf, bytes - most, SEEK_CUR) ;
++		memcpy (ptr, psf->header + psf->headend, most) ;
++		psf->headend = psf->headindex += most ;
++		psf_fread ((char *) ptr + most, bytes - most, 1, psf) ;
+ 		return bytes ;
+ 		} ;
+ 
+@@ -822,7 +817,7 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
+ 	{	count = psf_fread (psf->header + psf->headend, 1, bytes - (psf->headend - psf->headindex), psf) ;
+ 		if (count != bytes - (int) (psf->headend - psf->headindex))
+ 		{	psf_log_printf (psf, "Error : psf_fread returned short count.\n") ;
+-			return 0 ;
++			return count ;
+ 			} ;
+ 		psf->headend += count ;
+ 		} ;
+@@ -836,7 +831,6 @@ header_read (SF_PRIVATE *psf, void *ptr, int bytes)
+ static void
+ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
+ {
+-
+ 	switch (whence)
+ 	{	case SEEK_SET :
+ 			if (position > SIGNED_SIZEOF (psf->header))
+@@ -885,8 +879,7 @@ header_seek (SF_PRIVATE *psf, sf_count_t position, int whence)
+ 
+ static int
+ header_gets (SF_PRIVATE *psf, char *ptr, int bufsize)
+-{
+-	int		k ;
++{	int		k ;
+ 
+ 	for (k = 0 ; k < bufsize - 1 ; k++)
+ 	{	if (psf->headindex < psf->headend)
+@@ -1073,8 +1066,10 @@ psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
+ 			case 'j' :
+ 					/* Get the seek position first. */
+ 					count = va_arg (argptr, size_t) ;
+-					header_seek (psf, count, SEEK_CUR) ;
+-					byte_count += count ;
++					if (count)
++					{	header_seek (psf, count, SEEK_CUR) ;
++						byte_count += count ;
++						} ;
+ 					break ;
+ 
+ 			default :

libsndfile.spec

@@ -1,14 +1,18 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.0.25
-Release:	14%{?dist}
+Release:	18%{?dist}
 License:	LGPLv2+ and GPLv2+ and BSD
 Group:		System Environment/Libraries
 URL:		http://www.mega-nerd.com/libsndfile/
 Source0:	http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
 Patch0:		%{name}-1.0.25-system-gsm.patch
-Patch1: libsndfile-1.0.25-zerodivfix.patch
-Patch2: libsndfile-1.0.25-cve2014_9496.patch
+Patch1:		libsndfile-1.0.25-zerodivfix.patch
+Patch2:		libsndfile-1.0.25-cve2014_9496.patch
+
+# 2x from upstream, for <= 1.0.25, rhbz#1277899
+Patch3:		libsndfile-1.0.25-d2a87385c1ca1d72918e9a2875d24f202a5093e8.patch
+Patch4:		libsndfile-1.0.25-53c9f0bcaf20203bb4ee56da760a6e5118e6f93b.patch
 
 BuildRequires:	alsa-lib-devel
 BuildRequires:	flac-devel
@@ -44,7 +48,6 @@ This package contains files needed to develop with libsndfile.
 Summary:	Command Line Utilities for libsndfile
 Group:		Applications/Multimedia
 Requires:	%{name} = %{version}-%{release}
-Obsoletes:	libsndfile < 1.0.20-4
 
 
 %description utils
@@ -58,9 +61,12 @@ This package contains command line utilities for libsndfile.
 %patch0 -p1
 %patch1 -p1 -b .zerodivfix
 %patch2 -p1 -b .cve2014_9496
-rm -r src/GSM610 ; autoreconf -I M4 -fiv # for system-gsm patch
+%patch3 -p1 -b .d2a87385c1ca1d72918e9a2875d24f202a5093e8
+%patch4 -p1 -b .53c9f0bcaf20203bb4ee56da760a6e5118e6f93b
+rm -r src/GSM610
 
 %build
+autoreconf -I M4 -fiv # for system-gsm patch
 %configure \
 	--disable-dependency-tracking \
 	--enable-sqlite \
@@ -80,9 +86,10 @@ make install DESTDIR=$RPM_BUILD_ROOT
 rm -rf __docs
 cp -pR $RPM_BUILD_ROOT%{_docdir}/libsndfile1-dev/html __docs
 rm -rf $RPM_BUILD_ROOT%{_docdir}/libsndfile1-dev
+find %{buildroot} -type f -name "*.la" -delete
 
 # fix multilib issues
-%if %{__isa_bits} == 64
+%ifarch aarch64 %{power64} s390x x86_64
 %define wordsize 64
 %else
 %define wordsize 32
@@ -118,7 +125,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
 
 
 %files
-%doc COPYING AUTHORS README NEWS
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc AUTHORS README NEWS
 %{_libdir}/%{name}.so.*
 
 %files utils
@@ -144,9 +153,7 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
 %{_mandir}/man1/sndfile-play.1*
 
 %files devel
-%doc __docs/*
-%doc ChangeLog
-%exclude %{_libdir}/%{name}.la
+%doc __docs/* ChangeLog
 %{_includedir}/sndfile.h
 %{_includedir}/sndfile.hh
 %{_includedir}/sndfile-%{wordsize}.h
@@ -155,6 +162,20 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
 
 
 %changelog
+* Wed Dec 16 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-18
+- fix incomplete patch for CVE-2015-7805
+
+* Fri Nov 06 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-17
+- fix CVE-2015-7805: Heap overflow vulnerability when parsing specially
+  crafted AIFF header
+
+* Sun Jul 19 2015 Peter Robinson <pbrobinson@fedoraproject.org> 1.0.25-16
+- Fix FTBFS
+- Use %%license
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.0.25-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
 * Tue Jan 13 2015 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-14
 - fix CVE-2014-9496: 2 buffer overruns in sd2_parse_rsrc_fork (#1178840)
 - division by zero leading to denial of service in psf_fwrite (#1177254)