From 2ac883cf3728326e1085c533b786b361a1b5652b Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Thu, 5 Jul 2018 20:56:29 +0200
Subject: [PATCH] Security fix for CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
 (rhbz#1475759)

---
 cve-2017-92xx.patch | 36 ++++++++++++++++++++++++++++++++++++
 soundtouch.spec     |  7 ++++++-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 cve-2017-92xx.patch

diff --git a/cve-2017-92xx.patch b/cve-2017-92xx.patch
new file mode 100644
index 0000000..0e475a3
--- /dev/null
+++ b/cve-2017-92xx.patch
@@ -0,0 +1,36 @@
+Description: Fix CVE-2017-9258, CVE-2017-9259, CVE-2017-9260
+ Based on an upstream commit, original commit message was: "Added sanity
+ checks against illegal input audio stream parameters e.g. wildly excessive
+ samplerate".
+ . 
+ There is no reference to CVEs or bugs, the commit was made after disclosure
+ of the CVEs and all three proofs of concept (crafted wav files) fail after
+ this commit.
+ . 
+ The commit was made after version 2.0.0, so that version is also vulnerable.
+ .
+ Unrelated changes were stripped away by patch author, upstream commit author
+ is Olli Parviainen <oparviai@iki.fi>.
+Author: Gabor Karsay <gabor.karsay@gmx.at>
+Origin: upstream, https://sourceforge.net/p/soundtouch/code/256/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870854
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870856
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870857
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/source/SoundTouch/TDStretch.cpp
++++ b/source/SoundTouch/TDStretch.cpp
+@@ -128,7 +128,12 @@
+                               int aSeekWindowMS, int aOverlapMS)
+ {
+     // accept only positive parameter values - if zero or negative, use old values instead
+-    if (aSampleRate > 0)   this->sampleRate = aSampleRate;
++    if (aSampleRate > 0)
++    {
++        if (aSampleRate > 192000) ST_THROW_RT_ERROR("Error: Excessive samplerate");
++        this->sampleRate = aSampleRate;
++    }
++
+     if (aOverlapMS > 0)    this->overlapMs = aOverlapMS;
+ 
+     if (aSequenceMS > 0)
diff --git a/soundtouch.spec b/soundtouch.spec
index 93fec4e..0f45569 100644
--- a/soundtouch.spec
+++ b/soundtouch.spec
@@ -1,12 +1,13 @@
 Name:           soundtouch
 Version:        2.0.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Audio Processing library for changing Tempo, Pitch and Playback Rates
 License:        LGPLv2+
 Group:          System Environment/Libraries
 URL:            http://www.surina.net/soundtouch/
 Source0:        http://www.surina.net/soundtouch/%{name}-%{version}.tar.gz
 Patch0:         soundtouch-1.4.0-x86_64-asm-broken.patch
+Patch1:         cve-2017-92xx.patch
 BuildRequires:  gcc-c++
 BuildRequires:  autoconf automake libtool
 
@@ -40,6 +41,7 @@ sed -i 's|-O3||' source/SoundStretch/Makefile.*
 autoreconf -iv
 #why not in x86_64 !?
 #patch0 -p1
+%patch1 -p1
 
 # set correct version for .so build
 %define ltversion %(echo %{version} | tr '.' ':')
@@ -95,6 +97,9 @@ ln -s soundtouch.pc %{buildroot}%{_libdir}/pkgconfig/soundtouch-1.0.pc
 
 
 %changelog
+* Thu Jul 05 2018 Hans de Goede <hdegoede@redhat.com> 2.0.0-3
+- Security fix for CVE-2017-9258, CVE-2017-9259, CVE-2017-9260 (rhbz#1475759)
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild