From de0c3d6fa5e31dcf41162dd0e77513ca741328e7 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 18 May 2026 16:17:39 +0200 Subject: [PATCH] apply patch for CVE-2026-37555 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: RHEL-174544 --- ...t-overflow-when-calculating-sf.frame.patch | 38 +++++++++++++++++++ libsndfile.spec | 9 ++++- 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch diff --git a/0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch b/0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch new file mode 100644 index 0000000..6c39c8f --- /dev/null +++ b/0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch @@ -0,0 +1,38 @@ +From 0e1d2664822358ebae3fdb8ca15ba1b4ed99f22f Mon Sep 17 00:00:00 2001 +From: Wim Taymans +Date: Mon, 18 May 2026 14:33:55 +0200 +Subject: [PATCH] ima_adpcm: fix int overflow when calculating sf.frames + +When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to +provide the calculation with enough numeric space to avoid overflows. + +CVE: CVE-2026-37555 +--- + src/ima_adpcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c +index 18b56c49..168aec62 100644 +--- a/src/ima_adpcm.c ++++ b/src/ima_adpcm.c +@@ -164,7 +164,7 @@ ima_close (SF_PRIVATE *psf) + if (pima->samplecount && pima->samplecount < pima->samplesperblock) + pima->encode_block (psf, pima) ; + +- psf->sf.frames = pima->samplesperblock * pima->blockcount / psf->sf.channels ; ++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blockcount / psf->sf.channels ; + } ; + + return 0 ; +@@ -232,7 +232,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + + pima->decode_block = wavlike_ima_decode_block ; + +- psf->sf.frames = pima->samplesperblock * pima->blocks ; ++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks ; + break ; + + case SF_FORMAT_AIFF : +-- +2.54.0 + diff --git a/libsndfile.spec b/libsndfile.spec index fb6d761..fa60fca 100644 --- a/libsndfile.spec +++ b/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.0.31 -Release: 9%{?dist} +Release: 10%{?dist} License: LGPLv2+ and GPLv2+ and BSD URL: http://libsndfile.github.io/libsndfile/ Source0: https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.bz2 @@ -14,6 +14,8 @@ Patch3: libsndfile-1.0.31-ced91d7b.patch # from upstream, fix #RHEL-3751, for <= 1.2.2 Patch4: libsndfile-1.0.31-pullrequest979.patch Patch5: libsndfile-1.2.2-cve-2024-50612.patch +Patch6: 0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch + BuildRequires: gcc-c++ BuildRequires: alsa-lib-devel BuildRequires: flac-devel @@ -69,6 +71,7 @@ rm -r src/GSM610 %patch -P 3 -p1 -b .ced91d7b %patch -P 4 -p1 -b .pullrequest979 %patch -P 5 -p1 -b .cve-2024-50612 +%patch -P 6 -p1 -b .0006 %build autoreconf -I M4 -fiv # for system-gsm patch @@ -160,6 +163,10 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %changelog +* Mon May 18 2026 Wim Taymans - 1.0.32-10 +- apply patch for CVE-2026-37555 + Resolves: RHEL-174544 + * Tue Nov 19 2024 Michal Hlavinka - 1.0.31-9 - fix crash in ogg vorbis (#RHEL-65096) (CVE-2024-50612)