apply patch for CVE-2026-37555

Resolves: RHEL-174532
2026-05-18 16:17:39 +02:00 · 2026-05-18 16:17:39 +02:00 · df4cea1b20
commit df4cea1b20
parent 447637a10c
2 changed files with 46 additions and 1 deletions
--- a/0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch
+++ b/0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch
@ -0,0 +1,38 @@
+From 0e1d2664822358ebae3fdb8ca15ba1b4ed99f22f Mon Sep 17 00:00:00 2001
+From: Wim Taymans <wtaymans@redhat.com>
+Date: Mon, 18 May 2026 14:33:55 +0200
+Subject: [PATCH] ima_adpcm: fix int overflow when calculating sf.frames
+
+When calculating sf.frames, pre-cast samplesperblock to sf_count_t, to
+provide the calculation with enough numeric space to avoid overflows.
+
+CVE: CVE-2026-37555
+---
+ src/ima_adpcm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c
+index 18b56c49..168aec62 100644
+--- a/src/ima_adpcm.c
+++ b/src/ima_adpcm.c
+@@ -164,7 +164,7 @@ ima_close	(SF_PRIVATE *psf)
+ 		if (pima->samplecount && pima->samplecount < pima->samplesperblock)
+ 			pima->encode_block (psf, pima) ;
+ 
+-		psf->sf.frames = pima->samplesperblock * pima->blockcount / psf->sf.channels ;
+		psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blockcount / psf->sf.channels ;
+ 		} ;
+ 
+ 	return 0 ;
+@@ -232,7 +232,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)
+ 
+ 				pima->decode_block = wavlike_ima_decode_block ;
+ 
+-				psf->sf.frames = pima->samplesperblock * pima->blocks ;
+				psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks ;
+ 				break ;
+ 
+ 		case SF_FORMAT_AIFF :
+-- 
+2.54.0
+
--- a/libsndfile.spec
+++ b/libsndfile.spec
@ -1,13 +1,15 @@
 Summary:	Library for reading and writing sound files
 Name:		libsndfile
 Version:	1.2.2
-Release:	6%{?dist}
+Release:	7%{?dist}
 License:	LGPL-2.1 OR LGPL-3.0
 URL:		http://libsndfile.github.io/libsndfile/
 Source0:        https://github.com/libsndfile/libsndfile/releases/download/%{version}/libsndfile-%{version}.tar.xz
 Patch0:		libsndfile-1.0.25-system-gsm.patch
 # from upstream, for <= 1.2.2, #RHEL-65095
 Patch1:		libsndfile-1.2.2-cve-2024-50612.patch
+Patch2:		0001-ima_adpcm-fix-int-overflow-when-calculating-sf.frame.patch
+
 %if %{undefined rhel}
 # used to regenerate test .c sources from .def files
 BuildRequires:  autogen
@ -63,6 +65,7 @@ This package contains command line utilities for libsndfile.
 %setup -q
 %patch -P0 -p1 -b .system-gsm
 %patch -P 1 -p1 -b .cve-2024-50612
+%patch -P 2 -p1 -b .0002
 rm -r src/GSM610

 %build
@ -157,6 +160,10 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check


 %changelog
+* Mon May 18 2026 Wim Taymans <wtaymans@redhat.com> - 1.2.2-7
+- apply patch for CVE-2026-37555
+  Resolves: RHEL-174532
+
 * Tue Dec 09 2025 Tomas Pelka <tpelka@redhat.com> - 1.2.2-6
 - change the license to LGPL-2.1 OR LGPL-3.0 (#RHEL-85333)