From 060b7cbbe3187e8953127d94702f47259551d2f7 Mon Sep 17 00:00:00 2001
From: jinzhimin369 <jinzhimin2@huawei.com>
Date: Mon, 14 Sep 2020 19:49:59 +0800
Subject: [PATCH] fix CVE

---
 ...1.0.28-CVE-2017-14245-CVE-2017-14246.patch | 114 ++++++++++++++++++
 libsndfile.spec                               |   6 +-
 2 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 libsndfile-1.0.28-CVE-2017-14245-CVE-2017-14246.patch

diff --git a/libsndfile-1.0.28-CVE-2017-14245-CVE-2017-14246.patch b/libsndfile-1.0.28-CVE-2017-14245-CVE-2017-14246.patch
new file mode 100644
index 0000000..7327d1e
--- /dev/null
+++ b/libsndfile-1.0.28-CVE-2017-14245-CVE-2017-14246.patch
@@ -0,0 +1,114 @@
+From 2d54514a4f6437b67829717c05472d2e3300a258 Mon Sep 17 00:00:00 2001
+From: Fabian Greffrath <fabian@greffrath.com>
+Date: Mon, 14 Sep 2020 19:26:01 +0800
+Subject: [PATCH] sfe_copy_data_fp: check value of max variable for being normal
+
+reason:and check elements of the data[] array for being finite.
+
+Both checks use functions provided by the <math.h> header as declared
+by the C99 standard.
+
+Fixes #317
+CVE-2017-14245
+CVE-2017-14246
+https://github.com/fabiangreffrath/libsndfile/commit/2d54514a4f6437b67829717c05472d2e3300a258
+---
+ programs/common.c          | 19 ++++++++++++++++---
+ programs/common.h          |  2 +-
+ programs/sndfile-convert.c |  5 +++++
+ 3 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/programs/common.c b/programs/common.c
+index 3fc4e3d..3a0ecf1 100644
+--- a/programs/common.c
++++ b/programs/common.c
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <ctype.h>
+ #include <stdint.h>
++#include <math.h>
+ 
+ #include <sndfile.h>
+ 
+@@ -45,7 +46,7 @@
+ 
+ #define	MIN(x, y)	((x) < (y) ? (x) : (y))
+ 
+-void
++int
+ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize)
+ {	static double	data [BUFFER_LEN], max ;
+ 	int		frames, readcount, k ;
+@@ -54,6 +55,8 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+ 	readcount = frames ;
+ 
+ 	sf_command (infile, SFC_CALC_SIGNAL_MAX, &max, sizeof (max)) ;
++	if (!isnormal (max)) /* neither zero, subnormal, infinite, nor NaN */
++		return 1 ;
+ 
+ 	if (!normalize && max < 1.0)
+ 	{	while (readcount > 0)
+@@ -67,12 +70,16 @@ sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize
+ 		while (readcount > 0)
+ 		{	readcount = sf_readf_double (infile, data, frames) ;
+ 			for (k = 0 ; k < readcount * channels ; k++)
+-				data [k] /= max ;
++			{	data [k] /= max ;
++
++				if (!isfinite (data [k])) /* infinite or NaN */
++					return 1;
++				}
+ 			sf_writef_double (outfile, data, readcount) ;
+ 			} ;
+ 		} ;
+ 
+-	return ;
++	return 0;
+ } /* sfe_copy_data_fp */
+ 
+ void
+@@ -253,6 +260,12 @@ sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * in
+ 		/* If the input file is not the same as the output file, copy the data. */
+ 		if ((infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT))
+ 			sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) ;
++		{	if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, SF_FALSE) != 0)
++			{	printf ("Error : Not able to decode input file '%s'\n", filenames [0]) ;
++				error_code = 1 ;
++				goto cleanup_exit ;
++				} ;
++			}
+ 		else
+ 			sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+ 		} ;
+diff --git a/programs/common.h b/programs/common.h
+index eda2d7d..986277e 100644
+--- a/programs/common.h
++++ b/programs/common.h
+@@ -62,7 +62,7 @@ typedef SF_BROADCAST_INFO_VAR (2048) SF_BROADCAST_INFO_2K ;
+ 
+ void sfe_apply_metadata_changes (const char * filenames [2], const METADATA_INFO * info) ;
+ 
+-void sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
++int sfe_copy_data_fp (SNDFILE *outfile, SNDFILE *infile, int channels, int normalize) ;
+ 
+ void sfe_copy_data_int (SNDFILE *outfile, SNDFILE *infile, int channels) ;
+ 
+diff --git a/programs/sndfile-convert.c b/programs/sndfile-convert.c
+index dff7f79..98ac422 100644
+--- a/programs/sndfile-convert.c
++++ b/programs/sndfile-convert.c
+@@ -336,6 +336,11 @@ main (int argc, char * argv [])
+ 			|| (infileminor == SF_FORMAT_DOUBLE) || (infileminor == SF_FORMAT_FLOAT)
+ 			|| (infileminor == SF_FORMAT_VORBIS) || (outfileminor == SF_FORMAT_VORBIS))
+ 		sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) ;
++	{	if (sfe_copy_data_fp (outfile, infile, sfinfo.channels, normalize) != 0)
++		{	printf ("Error : Not able to decode input file %s.\n", infilename) ;
++			return 1 ;
++			} ;
++		}
+ 	else
+ 		sfe_copy_data_int (outfile, infile, sfinfo.channels) ;
+ 
+-- 
+2.23.0
+
diff --git a/libsndfile.spec b/libsndfile.spec
index 757dfde..ec084b0 100644
--- a/libsndfile.spec
+++ b/libsndfile.spec
@@ -1,6 +1,6 @@
 Name: libsndfile
 Version: 1.0.28
-Release: 18
+Release: 19
 Summary: Library for reading and writing sound files
 License: LGPLv2+ and GPLv2+ and BSD
 URL: http://www.mega-nerd.com/libsndfile/
@@ -21,6 +21,7 @@ Patch6003:	libsndfile-1.0.28-CVE-2019-3832.patch
 Patch6004:	libsndfile-1.0.28-CVE-2017-17456-CVE-2017-17457-CVE-2018-19661-CVE-2018-19662.patch
 Patch6005:	libsndfile-1.0.28-CVE-2017-14634.patch
 Patch6006:	libsndfile-1.0.28-CVE-2017-8362.patch
+Patch6007:	libsndfile-1.0.28-CVE-2017-14245-CVE-2017-14246.patch
 
 %description
 Libsndfile is a C library for reading and writing files containing
@@ -127,6 +128,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
 %{_mandir}/man1/sndfile-salvage.1*
 
 %changelog
+* Mon Sep 14 2020 xinghe <xinghe1@huawei.com> - 1.0.28-19
+- fix CVE-2017-14245 and CVE-2017-14246
+
 * Mon Feb 03 2020 chenmaodong<chenmaodong@huawei.com> - 1.0.28-18
 - Type:cves
 - ID:CVE-2017-8362
-- 
Gitee