1 files changed, 36 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
new file mode 100644
index 0000000000..6354f856cb
--- /dev/null
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
+From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Wed, 17 Feb 2021 23:21:48 +0000
+Subject: [PATCH 1/2] wavlike: Fix incorrect size check
+The SF_CART_INFO_16K struct has an additional 4 byte field to hold
+the size of 'tag_text' which the file header doesn't, so don't
+include it as part of the check when looking for the max length.
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/wavlike.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+Index: libsndfile-1.0.28/src/wavlike.c
+===================================================================
+--- libsndfile-1.0.28.orig/src/wavlike.c
+++ libsndfile-1.0.28/src/wavlike.c
+@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
+                return 0 ;
+                } ;
+ 
+-       if (chunksize >= sizeof (SF_CART_INFO_16K))
+       /*
+       **      SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
+       **      of the chunk, so don't include it in the size check.
+       */
+       if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+        {       psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
+                psf_binheader_readf (psf, "j", chunksize) ;
+                return 0 ;

diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch new file mode 100644 index 0000000000..6354f856cb --- /dev/null +++ b/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
	1	From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
	2	From: bobsayshilol <bobsayshilol@live.co.uk>
	3	Date: Wed, 17 Feb 2021 23:21:48 +0000
	4	Subject: [PATCH 1/2] wavlike: Fix incorrect size check
	5
	6	The SF_CART_INFO_16K struct has an additional 4 byte field to hold
	7	the size of 'tag_text' which the file header doesn't, so don't
	8	include it as part of the check when looking for the max length.
	9
	10	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
	11
	12	Upstream-Status: Backport
	13	CVE: CVE-2021-3246 patch 1
	14	Signed-off-by: Armin Kuster <akuster@mvista.com>
	15
	16	---
	17	src/wavlike.c \| 6 +++++-
	18	1 file changed, 5 insertions(+), 1 deletion(-)
	19
	20	Index: libsndfile-1.0.28/src/wavlike.c
	21	===================================================================
	22	--- libsndfile-1.0.28.orig/src/wavlike.c
	23	+++ libsndfile-1.0.28/src/wavlike.c
	24	@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
	25	return 0 ;
	26	} ;
	27
	28	- if (chunksize >= sizeof (SF_CART_INFO_16K))
	29	+ /*
	30	+ ** SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
	31	+ ** of the chunk, so don't include it in the size check.
	32	+ */
	33	+ if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
	34	{ psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
	35	psf_binheader_readf (psf, "j", chunksize) ;
	36	return 0 ;