1 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
new file mode 100644
index 0000000000..ab37211399
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
@@ -0,0 +1,37 @@
+From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
+From: Emilio Pozuelo Monfort <pochu27@gmail.com>
+Date: Tue, 5 Mar 2019 11:27:17 +0100
+Subject: [PATCH] wav_write_header: don't read past the array end
+CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
+CVE: CVE-2019-3832
+Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
+Signed-off-by: Ross Burton <ross.burton@intel.com>
+If loop_count is bigger than the array, truncate it to the array
+length (and not to 32k).
+CVE-2019-3832
+---
+ src/wav.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/src/wav.c b/src/wav.c
+index daae3cc..8851549 100644
+--- a/src/wav.c
+++ b/src/wav.c
+@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
+                psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
+                psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
+ 
+-               /* Loop count is signed 16 bit number so we limit it range to something sensible. */
+-               psf->instrument->loop_count &= 0x7fff ;
+               /* Make sure we don't read past the loops array end. */
+               if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
+                       psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
+
+                for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
+                {       int type ;
+

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch new file mode 100644 index 0000000000..ab37211399 --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2019-3832.patch
@@ -0,0 +1,37 @@
	1	From 43886efc408c21e1e329086ef70c88860310f25b Mon Sep 17 00:00:00 2001
	2	From: Emilio Pozuelo Monfort <pochu27@gmail.com>
	3	Date: Tue, 5 Mar 2019 11:27:17 +0100
	4	Subject: [PATCH] wav_write_header: don't read past the array end
	5
	6	CVE-2018-19758 wasn't entirely fixed in the fix, so fix it harder.
	7
	8	CVE: CVE-2019-3832
	9	Upstream-Status: Backport [7408c4c788ce047d4e652b60a04e7796bcd7267e]
	10	Signed-off-by: Ross Burton <ross.burton@intel.com>
	11
	12	If loop_count is bigger than the array, truncate it to the array
	13	length (and not to 32k).
	14
	15	CVE-2019-3832
	16
	17	---
	18	src/wav.c \| 6 ++++--
	19	1 file changed, 4 insertions(+), 2 deletions(-)
	20
	21	diff --git a/src/wav.c b/src/wav.c
	22	index daae3cc..8851549 100644
	23	--- a/src/wav.c
	24	+++ b/src/wav.c
	25	@@ -1094,8 +1094,10 @@ wav_write_header (SF_PRIVATE *psf, int calc_length)
	26	psf_binheader_writef (psf, "44", 0, 0) ; /* SMTPE format */
	27	psf_binheader_writef (psf, "44", psf->instrument->loop_count, 0) ;
	28
	29	- /* Loop count is signed 16 bit number so we limit it range to something sensible. */
	30	- psf->instrument->loop_count &= 0x7fff ;
	31	+ /* Make sure we don't read past the loops array end. */
	32	+ if (psf->instrument->loop_count > ARRAY_LEN (psf->instrument->loops))
	33	+ psf->instrument->loop_count = ARRAY_LEN (psf->instrument->loops) ;
	34	+
	35	for (tmp = 0 ; tmp < psf->instrument->loop_count ; tmp++)
	36	{ int type ;
	37