From 95d8d8cf079ecacd9bc621eac2759386e79d6232 Mon Sep 17 00:00:00 2001
From: thoger <thoger@fedoraproject.org>
Date: Tue, 15 Apr 2008 15:43:22 +0000
Subject: [PATCH] Add mode checks to speex_packet_to_header() to protect
 applications using     speex library and not having proper checks
 (CVE-2008-1686, #441239,     https://trac.xiph.org/changeset/14701)

---
 speex-1.2-CVE-2008-1686.diff | 21 +++++++++++++++++++++
 speex.spec                   |  9 ++++++++-
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 speex-1.2-CVE-2008-1686.diff

diff --git a/speex-1.2-CVE-2008-1686.diff b/speex-1.2-CVE-2008-1686.diff
new file mode 100644
index 0000000..066432e
--- /dev/null
+++ b/speex-1.2-CVE-2008-1686.diff
@@ -0,0 +1,21 @@
+Patch for CVE-2008-1686, see:
+https://trac.xiph.org/changeset/14701
+http://www.ocert.org/advisories/ocert-2008-2.html
+
+diff -pruN speex-1.2beta2.orig/libspeex/speex_header.c speex-1.2beta2/libspeex/speex_header.c
+--- speex-1.2beta2.orig/libspeex/speex_header.c	2007-03-18 13:25:09.000000000 +0100
++++ speex-1.2beta2/libspeex/speex_header.c	2008-04-15 17:15:18.000000000 +0200
+@@ -161,6 +161,13 @@ SpeexHeader *speex_packet_to_header(char
+    ENDIAN_SWITCH(le_header->frames_per_packet);
+    ENDIAN_SWITCH(le_header->extra_headers);
+ 
++   if (le_header->mode >= SPEEX_NB_MODES || le_header->mode < 0)
++   {
++      speex_warning ("Invalid mode specified in Speex header");
++      speex_free (le_header);
++      return NULL;
++   }
++
+    return le_header;
+ 
+ }
diff --git a/speex.spec b/speex.spec
index 0008e4a..427dfb6 100644
--- a/speex.spec
+++ b/speex.spec
@@ -1,7 +1,7 @@
 Summary: 	A voice compression format (codec)
 Name: 		speex
 Version: 	1.2
-Release:	0.6.beta3
+Release:	0.7.beta3
 License: 	BSD
 Group: 		System Environment/Libraries
 URL: 		http://www.speex.org/
@@ -12,6 +12,7 @@ BuildRequires:	libogg-devel
 # don't build unneded test programs, since they seem to cause
 # build failures
 Patch0: speex-1.2beta1-test-progs.patch
+Patch1: speex-1.2-CVE-2008-1686.diff
 
 %description
 Speex is a patent-free compression format designed especially for
@@ -42,6 +43,7 @@ speech. This package contains tools files and user's manual for %{name}.
 %prep
 %setup -q -n speex-1.2beta3
 %patch0 -p1 -b .test-progs
+%patch1 -p1 -b .CVE-2008-1686
 chmod a-x README
 
 %build
@@ -90,6 +92,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/speexdec.1*
 
 %changelog
+* Tue Apr 15 2008 Tomas Hoger <thoger@redhat.com> - 1.2-0.7.beta3
+- Security update: Add mode checks to speex_packet_to_header() to protect
+  applications using speex library and not having proper checks
+  (CVE-2008-1686, #441239, https://trac.xiph.org/changeset/14701)
+
 * Mon Mar 31 2008 Marcela Maslanova <mmaslano@redhat.com> - 1.2-0.6.beta3
 - 439284 add owner to %{_defaultdocdir}/speex