From c5a69e606be89f61c2b288922449ec48032a3d08 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 5 May 2022 10:36:22 +0200
Subject: [PATCH] handle end-of-stream when encoding with verification
 (CVE-2021-0561)

Resolves: CVE-2021-0561
---
 flac-cve-2021-0561.patch | 28 ++++++++++++++++++++++++++++
 flac.spec                |  3 +++
 2 files changed, 31 insertions(+)
 create mode 100644 flac-cve-2021-0561.patch

diff --git a/flac-cve-2021-0561.patch b/flac-cve-2021-0561.patch
new file mode 100644
index 0000000..71069b1
--- /dev/null
+++ b/flac-cve-2021-0561.patch
@@ -0,0 +1,28 @@
+commit e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be
+Author: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date:   Fri Dec 18 22:28:36 2020 +0530
+
+    libFlac: Exit at EOS in verify mode
+    
+    When verify mode is enabled, once decoder flags end of stream,
+    encode processing is considered complete.
+    
+    CVE-2021-0561
+    
+    Signed-off-by: Ralph Giles <giles@thaumas.net>
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247f..7109802c 100644
+--- a/src/libFLAC/stream_encoder.c
++++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
++			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
++			    || (!is_last_block
++				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
diff --git a/flac.spec b/flac.spec
index e2f5ef2..86489c5 100644
--- a/flac.spec
+++ b/flac.spec
@@ -26,6 +26,8 @@ BuildRequires: nasm >= 2.0
 BuildRequires: make
 
 Patch1: flac-cve-2020-0499.patch
+# handle end-of-stream when encoding with verification
+Patch2: flac-cve-2021-0561.patch
 
 %description
 FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC
@@ -75,6 +77,7 @@ This is the input plugin for XMMS to be able to read FLAC files.
 %prep
 %setup -q
 %patch1 -p1 -b .cve-2020-0499
+%patch2 -p1 -b .cve-2021-0561
 
 %build
 # use our libtool to avoid problems with RPATH