From 90d899289ef24d653f54ebc91646f71fe131fa89 Mon Sep 17 00:00:00 2001
From: DistroBaker <osci-list@redhat.com>
Date: Thu, 7 Jan 2021 10:28:16 +0000
Subject: [PATCH] Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/flac.git#73f4071b023b2cfdde017aaf32b75beeafb5592b
---
 flac-cve-2020-0499.patch | 23 +++++++++++++++++++++++
 flac.spec                | 10 +++++++---
 2 files changed, 30 insertions(+), 3 deletions(-)
 create mode 100644 flac-cve-2020-0499.patch

diff --git a/flac-cve-2020-0499.patch b/flac-cve-2020-0499.patch
new file mode 100644
index 0000000..712294a
--- /dev/null
+++ b/flac-cve-2020-0499.patch
@@ -0,0 +1,23 @@
+commit 2e7931c27eb15e387da440a37f12437e35b22dd4
+Author: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date:   Mon Oct 7 12:55:58 2019 +1100
+
+    libFLAC/bitreader.c: Fix out-of-bounds read
+    
+    Credit: Oss-Fuzz
+    Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069
+    Testcase: fuzzer_decoder-5670265022840832
+
+diff --git a/src/libFLAC/bitreader.c b/src/libFLAC/bitreader.c
+index 5e4b5918..3df4d02c 100644
+--- a/src/libFLAC/bitreader.c
++++ b/src/libFLAC/bitreader.c
+@@ -869,7 +869,7 @@ incomplete_lsbs:
+ 			cwords = br->consumed_words;
+ 			words = br->words;
+ 			ucbits = FLAC__BITS_PER_WORD - br->consumed_bits;
+-			b = br->buffer[cwords] << br->consumed_bits;
++			b = cwords < br->capacity ? br->buffer[cwords] << br->consumed_bits : 0;
+ 		} while(cwords >= words && val < end);
+ 	}
+ 
diff --git a/flac.spec b/flac.spec
index 87b4ac7..1d928f9 100644
--- a/flac.spec
+++ b/flac.spec
@@ -8,7 +8,7 @@
 Summary: An encoder/decoder for the Free Lossless Audio Codec
 Name: flac
 Version: 1.3.3
-Release: 3.1%{?dist}
+Release: 4%{?dist}
 License: BSD and GPLv2+ and GFDL
 Source0: https://downloads.xiph.org/releases/flac/flac-%{version}.tar.xz
 URL: https://www.xiph.org/flac/
@@ -23,6 +23,9 @@ Source1: xmms-flac.desktop
 # 2.0 supports symbol visibility
 BuildRequires: nasm >= 2.0
 %endif
+BuildRequires: make
+
+Patch1: flac-cve-2020-0499.patch
 
 %description
 FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC
@@ -71,6 +74,7 @@ This is the input plugin for XMMS to be able to read FLAC files.
 
 %prep
 %setup -q
+%patch1 -p1 -b .cve-2020-0499
 
 %build
 # use our libtool to avoid problems with RPATH
@@ -139,8 +143,8 @@ make check
 %endif
 
 %changelog
-* Sat Dec 19 2020 Petr Šabata <contyk@redhat.com> - 1.3.3-3.1
-- Bump for gcc11
+* Thu Jan 07 2021 Miroslav Lichvar <mlichvar@redhat.com> 1.3.3-4
+- fix out-of-bounds read in decoder (CVE-2020-0499)
 
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild