From a287f331298484f0e6c18213a16a73997cf47498 Mon Sep 17 00:00:00 2001
From: dillon_chen <chenqide@kylinos.cn>
Date: Fri, 7 Nov 2025 17:31:56 +0800
Subject: [PATCH] fix CVE-2019-13147

(cherry picked from commit cf99d07304b75f53cde0ffc154d0cbec4c4bc63d)
---
 audiofile.spec                         |  7 ++++-
 backport-Partial0-CVE-2019-13147.patch | 43 ++++++++++++++++++++++++++
 backport-Partial1-CVE-2019-13147.patch | 43 ++++++++++++++++++++++++++
 3 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 backport-Partial0-CVE-2019-13147.patch
 create mode 100644 backport-Partial1-CVE-2019-13147.patch

diff --git a/audiofile.spec b/audiofile.spec
index 5c26dd0..012276d 100644
--- a/audiofile.spec
+++ b/audiofile.spec
@@ -1,6 +1,6 @@
 Name: audiofile
 Version: 0.3.6
-Release: 29
+Release: 30
 Summary: Library for reading and writing audio files in many common formats
 License: LGPLv2+ and GPLv2+
 URL: http://audiofile.68k.org/
@@ -14,6 +14,8 @@ Patch5: backport-CVE-2017-6831.patch
 Patch6: backport-CVE-2017-6838.patch
 Patch7: backport-CVE-2017-6839.patch
 Patch8: audiofile-fix-CVE-2025-50950.patch
+Patch9: backport-Partial0-CVE-2019-13147.patch
+Patch10: backport-Partial1-CVE-2019-13147.patch
 
 BuildRequires: gcc-c++ libtool alsa-lib-devel flac-devel chrpath
 
@@ -83,6 +85,9 @@ chrpath --delete %{buildroot}%{_bindir}/sfconvert
 %{_mandir}/man3/*
 
 %changelog
+* Fri Nov  7 2025 dillon chen <dillon.chen@gmail.com> - 0.3.6-30
+- Fix CVE-2019-13147
+
 * Fri Oct 24 2025 hdliu <dev03108@linx-info.com> - 0.3.6-29
 - Fix CVE-2025-50950
 
diff --git a/backport-Partial0-CVE-2019-13147.patch b/backport-Partial0-CVE-2019-13147.patch
new file mode 100644
index 0000000..21eda41
--- /dev/null
+++ b/backport-Partial0-CVE-2019-13147.patch
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sat, 11 Nov 2023 17:42:03 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This fix the symptom do not allow to allocate negative memory:
+==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
+==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
+==129695==If you don't like this behavior set allocator_may_return_null=1
+==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
+    #0 0x7f48c8503c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
+    #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
+    #2 0x7f48c8509342  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
+    #3 0x7f48c8441e46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
+    #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
+    #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
+    #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
+    #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
+    #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
+
+If negative bail out
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ sfcommands/sfconvert.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
+index 367f7a5..400d485 100644
+--- a/sfcommands/sfconvert.c
++++ b/sfcommands/sfconvert.c
+@@ -349,7 +349,8 @@ void printversion (void)
+ bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
+ {
+ 	int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
+-
++	if(frameSize <= 0)
++		return false;
+ 	int kBufferFrameCount = 65536;
+ 	int bufferSize;
+ 	while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
diff --git a/backport-Partial1-CVE-2019-13147.patch b/backport-Partial1-CVE-2019-13147.patch
new file mode 100644
index 0000000..96068b3
--- /dev/null
+++ b/backport-Partial1-CVE-2019-13147.patch
@@ -0,0 +1,43 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca@debian.org>
+Date: Sat, 11 Nov 2023 17:43:19 +0000
+Subject: Partial fix of CVE-2019-13147
+
+This is the fix of the POC. Do not allow too many channel
+
+Now it fail with:
+Audio File Library: invalid file with 1633771873 channels [error 15]
+Could not open file 'poc' for reading.
+
+bug: https://github.com/mpruett/audiofile/issues/54
+forwarded: https://github.com/mpruett/audiofile/issues/54
+bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2019-13147
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931343
+---
+ libaudiofile/NeXT.cpp | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libaudiofile/NeXT.cpp b/libaudiofile/NeXT.cpp
+index c462dbe..01c967c 100644
+--- a/libaudiofile/NeXT.cpp
++++ b/libaudiofile/NeXT.cpp
+@@ -32,6 +32,7 @@
+ #include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ 
+ #include "File.h"
+ #include "Setup.h"
+@@ -122,6 +123,12 @@ status NeXTFile::readInit(AFfilesetup setup)
+ 		_af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
+ 		return AF_FAIL;
+ 	}
++	/* avoid overflow of INT for double size rate */
++	if (channelCount > (INT32_MAX / (sizeof(double))))
++	{
++		_af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount);
++		return AF_FAIL;
++	}
+ 
+ 	Track *track = allocateTrack();
+ 	if (!track)
-- 
Gitee