From dbb4db54d9baafee07cb54139a0a2a31b931203b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 30 2021 08:01:11 +0000
Subject: import libsndfile-1.0.25-12.el7_9.1


---

diff --git a/SOURCES/libsndfile-1.0.31-deb669ee.patch b/SOURCES/libsndfile-1.0.31-deb669ee.patch
new file mode 100644
index 0000000..5c281e7
--- /dev/null
+++ b/SOURCES/libsndfile-1.0.31-deb669ee.patch
@@ -0,0 +1,21 @@
+diff -up libsndfile-1.0.25/src/ms_adpcm.c.deb669ee libsndfile-1.0.25/src/ms_adpcm.c
+--- libsndfile-1.0.25/src/ms_adpcm.c.deb669ee	2021-07-23 13:20:56.365818063 +0200
++++ libsndfile-1.0.25/src/ms_adpcm.c	2021-07-23 13:21:08.241674184 +0200
+@@ -140,6 +140,17 @@ wav_w64_msadpcm_init	(SF_PRIVATE *psf, i
+ 	if (psf->file.mode == SFM_WRITE)
+ 		samplesperblock = 2 + 2 * (blockalign - 7 * psf->sf.channels) / psf->sf.channels ;
+ 
++        /* There's 7 samples per channel in the preamble of each block */
++	if (samplesperblock < 7 * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error samplesperblock (%d) should be >= %d.\n", samplesperblock, 7 * psf->sf.channels) ;
++		return SFE_INTERNAL ;
++		} ;
++
++	if (2 * blockalign < samplesperblock * psf->sf.channels)
++	{	psf_log_printf (psf, "*** Error blockalign (%d) should be >= %d.\n", blockalign, samplesperblock * psf->sf.channels / 2) ;
++		return SFE_INTERNAL ;
++		} ;
++
+ 	pmssize = sizeof (MSADPCM_PRIVATE) + blockalign + 3 * psf->sf.channels * samplesperblock ;
+ 
+ 	if (! (psf->codec_data = calloc (1, pmssize)))
diff --git a/SPECS/libsndfile.spec b/SPECS/libsndfile.spec
index 1023e72..5be7ea8 100644
--- a/SPECS/libsndfile.spec
+++ b/SPECS/libsndfile.spec
@@ -1,7 +1,7 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.0.25
-Release:	12%{?dist}
+Release:	12%{?dist}.1
 License:	LGPLv2+ and GPLv2+ and BSD
 Group:		System Environment/Libraries
 URL:		http://www.mega-nerd.com/libsndfile/
@@ -9,6 +9,8 @@ Source0:	http://www.mega-nerd.com/libsndfile/files/libsndfile-%{version}.tar.gz
 Patch0:		%{name}-1.0.25-system-gsm.patch
 Patch1: libsndfile-1.0.28-CVE_2018_13139.patch
 Patch2: libsndfile-1.0.28-CVE_2018_19662.patch
+# from upstream, for <= 1.0.31, rhbz#1985024
+Patch3:		libsndfile-1.0.31-deb669ee.patch
 BuildRoot:	%(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 BuildRequires:	alsa-lib-devel
@@ -59,6 +61,7 @@ This package contains command line utilities for libsndfile.
 %patch0 -p1
 %patch1 -p1 -b .CVE_2018_13139
 %patch2 -p1 -b .CVE_2018_19662
+%patch3 -p1 -b .deb669ee
 rm -r src/GSM610 ; autoreconf -I M4 -fiv # for system-gsm patch
 #also for aarch64 support which requires autotools 2.69+
 
@@ -165,6 +168,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Wed Jul 28 2021 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-12.1
+- a crafted wav file could cause heap buffer overflow that allowed an arbitrary code execution(#1985024)
+
 * Wed Mar 11 2020 Michal Hlavinka <mhlavink@redhat.com> - 1.0.25-12
 - fix CVE-2018-19662 - buffer over-read in the function i2alaw_array (#1673086)