From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 17 Feb 2021 23:21:48 +0000
Subject: [PATCH 1/2] wavlike: Fix incorrect size check

The SF_CART_INFO_16K struct has an additional 4 byte field to hold
the size of 'tag_text' which the file header doesn't, so don't
include it as part of the check when looking for the max length.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026

Upstream-Status: Backport
CVE: CVE-2021-3246 patch 1
Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 src/wavlike.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Index: libsndfile-1.0.28/src/wavlike.c
===================================================================
--- libsndfile-1.0.28.orig/src/wavlike.c
+++ libsndfile-1.0.28/src/wavlike.c
@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
 		return 0 ;
 		} ;
 
-	if (chunksize >= sizeof (SF_CART_INFO_16K))
+	/*
+	**	SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
+	**	of the chunk, so don't include it in the size check.
+	*/
+	if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
 	{	psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
 		psf_binheader_readf (psf, "j", chunksize) ;
 		return 0 ;