From 4ca8d81957b5d47250c3ae2e9ed4ce568ca5e1fc Mon Sep 17 00:00:00 2001
From: xiangshuaizhx <wangzhishun1@huawei.com>
Date: Mon, 16 Mar 2020 18:25:35 +0800
Subject: [PATCH] add CVE patch

---
 CVE-2018-19841.patch         | 29 +++++++++++++++++++++++++++++
 wavpack-CVE-2019-11498.patch | 36 ++++++++++++++++++++++++++++++++++++
 wavpack.spec                 | 13 ++++++++++---
 3 files changed, 75 insertions(+), 3 deletions(-)
 create mode 100644 CVE-2018-19841.patch
 create mode 100644 wavpack-CVE-2019-11498.patch

diff --git a/CVE-2018-19841.patch b/CVE-2018-19841.patch
new file mode 100644
index 0000000..6872ed9
--- /dev/null
+++ b/CVE-2018-19841.patch
@@ -0,0 +1,29 @@
+From bba5389dc598a92bdf2b297c3ea34620b6679b5b Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Thu, 29 Nov 2018 21:53:51 -0800
+Subject: [PATCH] issue #54: fix potential out-of-bounds heap read
+
+---
+ src/open_utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/open_utils.c b/src/open_utils.c
+index 80051fc..4fe0d67 100644
+--- a/src/open_utils.c
++++ b/src/open_utils.c
+@@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum)
+ #endif
+ 
+             if (meta_bc == 4) {
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff))
+                     return FALSE;
+             }
+             else {
+                 csum ^= csum >> 16;
+ 
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff))
+                     return FALSE;
+             }
+ 
diff --git a/wavpack-CVE-2019-11498.patch b/wavpack-CVE-2019-11498.patch
new file mode 100644
index 0000000..e8a2708
--- /dev/null
+++ b/wavpack-CVE-2019-11498.patch
@@ -0,0 +1,36 @@
+From bc6cba3f552c44565f7f1e66dc1580189addb2b4 Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Tue, 5 Mar 2019 21:32:27 -0800
+Subject: [PATCH] issue #67: make sure sample rate is specified and non-zero in
+ DFF files
+
+---
+ cli/dsdiff.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/cli/dsdiff.c b/cli/dsdiff.c
+index f357181..193adee 100644
+--- a/cli/dsdiff.c
++++ b/cli/dsdiff.c
+@@ -171,7 +171,7 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+             if (!strncmp (prop_chunk, "SND ", 4)) {
+                 char *cptr = prop_chunk + 4, *eptr = prop_chunk + dff_chunk_header.ckDataSize;
+                 uint16_t numChannels, chansSpecified, chanMask = 0;
+-                uint32_t sampleRate;
++                uint32_t sampleRate = 0;
+ 
+                 while (eptr - cptr >= sizeof (dff_chunk_header)) {
+                     memcpy (&dff_chunk_header, cptr, sizeof (dff_chunk_header));
+@@ -263,6 +263,12 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
+             free (prop_chunk);
+         }
+         else if (!strncmp (dff_chunk_header.ckID, "DSD ", 4)) {
++
++            if (!config->num_channels || !config->sample_rate) {
++                error_line ("%s is not a valid .DFF file!", infilename);
++                return WAVPACK_SOFT_ERROR;
++            }
++
+             total_samples = dff_chunk_header.ckDataSize / config->num_channels;
+             break;
+         }
diff --git a/wavpack.spec b/wavpack.spec
index f34d4dc..49521cc 100644
--- a/wavpack.spec
+++ b/wavpack.spec
@@ -1,6 +1,6 @@
 Name:           wavpack
 Version:        5.1.0
-Release:        10
+Release:        11
 Summary:        Hybrid Lossless Wavefile Compressor
 License:        BSD
 Url:            http://www.wavpack.com/
@@ -10,7 +10,10 @@ Patch0001:      wavpack-0002-issue-28-do-not-overwrite-heap-on-corrupt-DSDIFF-fi
 Patch0002:      wavpack-0003-issue-28-fix-buffer-overflows-and-bad-allocs-on-corr.patch
 Patch0003:      wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
 Patch0004:      wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch
-
+# fix potential out-of-bounds heapo read
+Patch0005:      wavpack-CVE-2019-11498.patch
+# make sure sample rate is specified and non-zero in DFF files       
+Patch0006:      CVE-2018-19841.patch
 Patch6000:      CVE-2018-19840.patch
 
 BuildRequires:  autoconf automake libtool
@@ -37,7 +40,7 @@ Buildarch: noarch
 Help document for the wavpack package.
 
 %prep
-%autosetup -p1
+%autosetup -n %{name}-%{version} -p1
 
 %build
 autoreconf -ivf
@@ -69,5 +72,9 @@ autoreconf -ivf
 %{_mandir}/man1/*.1*
 
 %changelog
+* Sat Mar 14 2020 wangzhishun <wangzhishun1@huawei.com> - 5.1.0-11
+- Make sure sample rate is specified and non-zero in DFF files
+- Fix potential out-of-bounds heap read 
+
 * Fri Oct 25 2019 Lijin Yang <yanglijin@huawei.com> - 5.1.0-10
 - Package init
-- 
Gitee