6 changed files with 247 additions and 38 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
-SOURCES/libvorbis-1.3.7.tar.xz
+SOURCES/libvorbis-1.3.6.tar.xz
+/libvorbis-1.3.6.tar.xz
--- a/.libvorbis.metadata
+++ b/.libvorbis.metadata
@ -1 +0,0 @@
-0a2dd71a999656b8091506839e8007a61a8fda1f SOURCES/libvorbis-1.3.7.tar.xz
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}
--- a/libvorbis-1.3.6-git.patch
+++ b/libvorbis-1.3.6-git.patch
@ -0,0 +1,215 @@
+diff --git a/Brewfile b/Brewfile
+new file mode 100644
+index 0000000..af81e5b
+--- /dev/null
+++ b/Brewfile
+@@ -0,0 +1,3 @@
+brew 'doxygen'
+brew 'libogg'
+brew 'xz'
+diff --git a/Makefile.am b/Makefile.am
+index c35131a..3feaf72 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -26,7 +26,7 @@ EXTRA_DIST = \
+ 	vorbisenc-uninstalled.pc.in \
+ 	vorbisfile-uninstalled.pc.in \
+ 	symbian \
+-	macosx win32
+	macosx win32 CMakeLists.txt
+ 
+ 
+ DISTCHECK_CONFIGURE_FLAGS = --enable-docs
+diff --git a/contrib/oss-fuzz/build.sh b/contrib/oss-fuzz/build.sh
+new file mode 100755
+index 0000000..29e7f38
+--- /dev/null
+++ b/contrib/oss-fuzz/build.sh
+@@ -0,0 +1,23 @@
+#!/bin/bash -eu
+
+pushd $SRC
+mv people.xiph.org/*.ogg decode_corpus/
+zip -r "$OUT/decode_fuzzer_seed_corpus.zip" decode_corpus/
+popd
+
+pushd $SRC/ogg
+./autogen.sh
+./configure --prefix="$WORK" --enable-static --disable-shared --disable-crc
+make clean
+make -j$(nproc)
+make install
+popd
+
+
+./autogen.sh
+./configure --prefix="$WORK" --enable-static --disable-shared
+make clean
+make -j$(nproc)
+make install
+
+$CXX $CXXFLAGS $SRC/vorbis/contrib/oss-fuzz/decode_fuzzer.cc -o $OUT/decode_fuzzer -L"$WORK/lib" -I"$WORK/include" -lFuzzingEngine -lvorbisfile -lvorbis -logg
+diff --git a/contrib/oss-fuzz/decode_fuzzer.cc b/contrib/oss-fuzz/decode_fuzzer.cc
+new file mode 100644
+index 0000000..b8840c1
+--- /dev/null
+++ b/contrib/oss-fuzz/decode_fuzzer.cc
+@@ -0,0 +1,48 @@
+#include <stdio.h>
+#include <string.h>
+#include <cstdint>
+#include <vorbis/vorbisfile.h>
+
+struct vorbis_data {
+  const uint8_t *current;
+  const uint8_t *data;
+  size_t size;
+};
+
+size_t read_func(void *ptr, size_t size1, size_t size2, void *datasource) {
+  vorbis_data* vd = (vorbis_data *)(datasource);
+  size_t len = size1 * size2;
+  if (vd->current + len > vd->data + vd->size) {
+      len = vd->data + vd->size - vd->current;
+  }
+  memcpy(ptr, vd->current, len);
+  vd->current += len;
+  return len;
+}
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  ov_callbacks memory_callbacks = {0};
+  memory_callbacks.read_func = read_func;
+  vorbis_data data_st;
+  data_st.size = Size;
+  data_st.current = Data;
+  data_st.data = Data;
+  OggVorbis_File vf;
+  int result = ov_open_callbacks(&data_st, &vf, NULL, 0, memory_callbacks);
+  if (result < 0) {
+    return 0;
+  }
+  int current_section = 0;
+  int eof = 0;
+  char buf[4096];
+  int read_result;
+  while (!eof) {
+    read_result = ov_read(&vf, buf, sizeof(buf), 0, 2, 1, &current_section);
+    if (read_result != OV_HOLE && read_result <= 0) {
+      eof = 1;
+    }
+  }
+  ov_clear(&vf);
+  return 0;
+}
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index cd5afdf..e22895e 100644
+--- a/lib/Makefile.am
+++ b/lib/Makefile.am
+@@ -35,7 +35,7 @@ psytune_SOURCES = psytune.c
+ psytune_LDFLAGS = -static
+ psytune_LDADD = libvorbis.la
+ 
+-EXTRA_DIST = lookups.pl 
+EXTRA_DIST = lookups.pl CMakeLists.txt
+ 
+ # build and run the self tests on 'make check'
+ 
+diff --git a/lib/info.c b/lib/info.c
+index 3fbb7c7..23efa25 100644
+--- a/lib/info.c
+++ b/lib/info.c
+@@ -203,6 +203,7 @@ void vorbis_info_clear(vorbis_info *vi){
+ 
+ static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){
+   codec_setup_info     *ci=vi->codec_setup;
+  int bs;
+   if(!ci)return(OV_EFAULT);
+ 
+   vi->version=oggpack_read(opb,32);
+@@ -215,8 +216,12 @@ static int _vorbis_unpack_info(vorbis_info *vi,oggpack_buffer *opb){
+   vi->bitrate_nominal=(ogg_int32_t)oggpack_read(opb,32);
+   vi->bitrate_lower=(ogg_int32_t)oggpack_read(opb,32);
+ 
+-  ci->blocksizes[0]=1<<oggpack_read(opb,4);
+-  ci->blocksizes[1]=1<<oggpack_read(opb,4);
+  bs = oggpack_read(opb,4);
+  if(bs<0)goto err_out;
+  ci->blocksizes[0]=1<<bs;
+  bs = oggpack_read(opb,4);
+  if(bs<0)goto err_out;
+  ci->blocksizes[1]=1<<bs;
+ 
+   if(vi->rate<1)goto err_out;
+   if(vi->channels<1)goto err_out;
+diff --git a/lib/os.h b/lib/os.h
+index 416a401..e098926 100644
+--- a/lib/os.h
+++ b/lib/os.h
+@@ -120,7 +120,7 @@ static inline int vorbis_ftoi(double f){  /* yes, double!  Otherwise,
+ /* MSVC inline assembly. 32 bit only; inline ASM isn't implemented in the
+  * 64 bit compiler and doesn't work on arm. */
+ #if defined(_MSC_VER) && !defined(_WIN64) && \
+-      !defined(_WIN32_WCE) && !defined(_M_ARM)
+      !defined(_WIN32_WCE) && !defined(_M_ARM) && !defined(_M_ARM64)
+ #  define VORBIS_FPU_CONTROL
+ 
+ typedef ogg_int16_t vorbis_fpu_control;
+diff --git a/lib/psy.c b/lib/psy.c
+index 422c6f1..1310123 100644
+--- a/lib/psy.c
+++ b/lib/psy.c
+@@ -602,8 +602,9 @@ static void bark_noise_hybridmp(int n,const long *b,
+   for (i = 0, x = 0.f;; i++, x += 1.f) {
+ 
+     lo = b[i] >> 16;
+-    if( lo>=0 ) break;
+     hi = b[i] & 0xffff;
+    if( lo>=0 ) break;
+    if( hi>=n ) break;
+ 
+     tN = N[hi] + N[-lo];
+     tX = X[hi] - X[-lo];
+diff --git a/lib/sharedbook.c b/lib/sharedbook.c
+index 4545d4f..8d73daa 100644
+--- a/lib/sharedbook.c
+++ b/lib/sharedbook.c
+@@ -62,7 +62,15 @@ float _float32_unpack(long val){
+   int    sign=val&0x80000000;
+   long   exp =(val&0x7fe00000L)>>VQ_FMAN;
+   if(sign)mant= -mant;
+-  return(ldexp(mant,exp-(VQ_FMAN-1)-VQ_FEXP_BIAS));
+  exp=exp-(VQ_FMAN-1)-VQ_FEXP_BIAS;
+  /* clamp excessive exponent values */
+  if (exp>63){
+    exp=63;
+  }
+  if (exp<-63){
+    exp-63;
+  }
+  return(ldexp(mant,exp));
+ }
+ 
+ /* given a list of word lengths, generate a list of codewords.  Works
+diff --git a/lib/vorbisenc.c b/lib/vorbisenc.c
+index 4a4607c..64a51b5 100644
+--- a/lib/vorbisenc.c
+++ b/lib/vorbisenc.c
+@@ -684,6 +684,7 @@ int vorbis_encode_setup_init(vorbis_info *vi){
+   highlevel_encode_setup *hi=&ci->hi;
+ 
+   if(ci==NULL)return(OV_EINVAL);
+  if(vi->channels<1||vi->channels>255)return(OV_EINVAL);
+   if(!hi->impulse_block_p)i0=1;
+ 
+   /* too low/high an ATH floater is nonsensical, but doesn't break anything */
+@@ -1210,7 +1211,7 @@ int vorbis_encode_ctl(vorbis_info *vi,int number,void *arg){
+                                           hi->req,
+                                           hi->managed,
+                                           &new_base);
+-        if(!hi->setup)return OV_EIMPL;
+        if(!new_template)return OV_EIMPL;
+         hi->setup=new_template;
+         hi->base_setting=new_base;
+         vorbis_encode_setup_setting(vi,vi->channels,vi->rate);
--- a/SPECS/libvorbis.spec
+++ b/SPECS/libvorbis.spec
@ -2,15 +2,28 @@

 Summary:	The Vorbis General Audio Compression Codec
 Name:		libvorbis
-Version:	1.3.7
-Release:	5%{?dist}
+Version:	1.3.6
+Release:	2%{?dist}
 Epoch:		1
+Group:		System Environment/Libraries
 License:	BSD
 URL:		https://www.xiph.org/
 Source:		https://downloads.xiph.org/releases/vorbis/%{name}-%{version}.tar.xz
-BuildRequires:  gcc
 BuildRequires:	pkgconfig(ogg) >= 1.0
-BuildRequires: make
+
+# sync with git as of
+#
+# commit 46e70fa6573e206c2555cd99a53204ffd6bf58fd
+# Author: Minmin Gong <gongminmin@msn.com>
+# Date:   Wed Jul 4 21:37:54 2018 -0700
+#
+#     Fix the compiling errors on msvc ARM64 configuration.
+#
+# Fixes:
+# CVE-2017-14160
+# CVE-2018-10392
+# CVE-2018-10393
+Patch0: libvorbis-1.3.6-git.patch

 %description
 Ogg Vorbis is a fully open, non-proprietary, patent- and royalty-free,
@ -22,6 +35,7 @@ that support Ogg Vorbis.

 %package devel
 Summary: Development tools for Vorbis applications
+Group: Development/Libraries
 Requires:	%{name}%{?_isa} = %{epoch}:%{version}-%{release}

 %description devel
@ -30,6 +44,7 @@ needed to develop applications with Ogg Vorbis.

 %package devel-docs
 Summary: Documentation for developing Vorbis applications
+Group: Development/Libraries
 Requires: %{name}-devel = %{epoch}:%{version}-%{release}
 BuildArch: noarch

@ -39,6 +54,8 @@ Documentation for developing applications with libvorbis.
 %prep

 %setup -q
+%patch0 -p1
+sed -i "s|-O20|$RPM_OPT_FLAGS|" configure
 sed -i "s/-ffast-math//" configure
 sed -i "s/-mcpu=750//" configure

@ -76,38 +93,8 @@ make check
 %ldconfig_scriptlets

 %changelog
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.3.7-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:1.3.7-4
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Thu Jul 16 2020 David King <amigadave@amigadave.com> - 1.3.7-1
- Update to 1.3.7
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.6-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.6-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Tue Jul 31 2018 Adam Jackson <ajax@redhat.com> - 1.3.6-3
- Sync with git (CVE-2017-14160, CVE-2018-10392,
-  CVE-2018-10393, #1516379)
-
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.3.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+* Wed May 29 2019 Adam Jackson <ajax@redhat.com> - 1.3.6-2
+- Sync with git for CVE-2017-14160, CVE-2018-10392, CVE-2018-10393

 * Fri Mar 16 2018 Adam Jackson <ajax@redhat.com> - 1.3.6-1
 - libvorbis 1.3.6
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (libvorbis-1.3.6.tar.xz) = a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132
				`@ -1 +0,0 @@`
				`0a2dd71a999656b8091506839e8007a61a8fda1f SOURCES/libvorbis-1.3.7.tar.xz`
				`@ -0,0 +1 @@`
				`SHA512 (libvorbis-1.3.6.tar.xz) = a5d990bb88db2501b16f8eaee9f2ecb599cefd7dab2134d16538d8905263a972157c7671867848c2a8a358bf5e5dbc7721205ece001032482f168be7bda4f132`