Fix for CVE-2018-19840, CVE-2018-19841

Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>

.gitignore

@@ -1,6 +1,2 @@
-wavpack-4.60.0.tar.bz2
-/wavpack-4.60.1.tar.bz2
-/wavpack-4.70.0.tar.bz2
-/wavpack-4.75.2.tar.bz2
-/wavpack-4.80.0.tar.bz2
-/wavpack-5.1.0.tar.bz2
+*~
+/wavpack-[0-9]*.[0-9]*.[0-9]*.tar.bz2

wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch

@@ -1,14 +1,7 @@
-From 6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d Mon Sep 17 00:00:00 2001
 From: David Bryant <david@wavpack.com>
 Date: Tue, 24 Apr 2018 17:27:01 -0700
-Subject: [PATCH 1/2] issue #33, sanitize size of unknown chunks before
- malloc()
+Subject: [PATCH] issue #33, sanitize size of unknown chunks before malloc()
 
----
- cli/dsdiff.c | 9 ++++++++-
- cli/riff.c   | 9 ++++++++-
- cli/wave64.c | 9 ++++++++-
- 3 files changed, 24 insertions(+), 3 deletions(-)
 
 diff --git a/cli/dsdiff.c b/cli/dsdiff.c
 index c016df9..fa56bbb 100644
@@ -70,6 +63,3 @@ index 591d640..fa928a0 100644
  
              if (debug_logging_mode)
                  error_line ("extra unknown chunk \"%c%c%c%c\" of %d bytes",
--- 
-2.14.3
-

wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch

@@ -1,13 +1,8 @@
-From 26cb47f99d481ad9b93eeff80d26e6b63bbd7e15 Mon Sep 17 00:00:00 2001
 From: David Bryant <david@wavpack.com>
 Date: Tue, 24 Apr 2018 22:18:07 -0700
-Subject: [PATCH 2/2] issue #30 issue #31 issue #32: no multiple format chunks
- in WAV or W64
+Subject: [PATCH] issue #30 issue #31 issue #32: no multiple format chunks in
+ WAV or W64
 
----
- cli/riff.c   | 7 ++++++-
- cli/wave64.c | 6 ++++++
- 2 files changed, 12 insertions(+), 1 deletion(-)
 
 diff --git a/cli/riff.c b/cli/riff.c
 index 7bddf63..5d6452e 100644
@@ -58,6 +53,3 @@ index fa928a0..0388dc7 100644
              chunk_header.ckSize = (chunk_header.ckSize + 7) & ~7L;
  
              if (chunk_header.ckSize < 16 || chunk_header.ckSize > sizeof (WaveHeader) ||
--- 
-2.14.3
-

wavpack-0006-issue-53-error-out-on-zero-sample-rate.patch

@@ -0,0 +1,21 @@
+From: David Bryant <david@wavpack.com>
+Date: Thu, 29 Nov 2018 21:00:42 -0800
+Subject: [PATCH] issue #53: error out on zero sample rate
+
+
+diff --git a/src/pack_utils.c b/src/pack_utils.c
+index 1918c18..ee3debf 100644
+--- a/src/pack_utils.c
++++ b/src/pack_utils.c
+@@ -195,6 +195,11 @@ int WavpackSetConfiguration64 (WavpackContext *wpc, WavpackConfig *config, int64
+     int num_chans = config->num_channels;
+     int i;
+ 
++    if (!config->sample_rate) {
++        strcpy (wpc->error_message, "sample rate cannot be zero!");
++        return FALSE;
++    }
++
+     wpc->stream_version = (config->flags & CONFIG_COMPATIBLE_WRITE) ? CUR_STREAM_VERS : MAX_STREAM_VERS;
+ 
+     if ((config->qmode & QMODE_DSD_AUDIO) && config->bytes_per_sample == 1 && config->bits_per_sample == 8) {

wavpack-0007-issue-54-fix-potential-out-of-bounds-heap-read.patch

@@ -0,0 +1,25 @@
+From: David Bryant <david@wavpack.com>
+Date: Thu, 29 Nov 2018 21:53:51 -0800
+Subject: [PATCH] issue #54: fix potential out-of-bounds heap read
+
+
+diff --git a/src/open_utils.c b/src/open_utils.c
+index fc9440c..ce0879c 100644
+--- a/src/open_utils.c
++++ b/src/open_utils.c
+@@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum)
+ #endif
+ 
+             if (meta_bc == 4) {
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff))
+                     return FALSE;
+             }
+             else {
+                 csum ^= csum >> 16;
+ 
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff))
+                     return FALSE;
+             }
+ 

wavpack.spec

@@ -1,7 +1,7 @@
 Name:		wavpack
 Summary:	A completely open audiocodec
 Version:	5.1.0
-Release:	11%{?dist}
+Release:	12%{?dist}
 License:	BSD
 Url:		http://www.wavpack.com/
 Source:		http://www.wavpack.com/%{name}-%{version}.tar.bz2
@@ -10,6 +10,8 @@ Patch2:		wavpack-0002-issue-28-do-not-overwrite-heap-on-corrupt-DSDIFF-fil.patch
 Patch3:		wavpack-0003-issue-28-fix-buffer-overflows-and-bad-allocs-on-corr.patch
 Patch4:		wavpack-0004-issue-33-sanitize-size-of-unknown-chunks-before-mall.patch
 Patch5:		wavpack-0005-issue-30-issue-31-issue-32-no-multiple-format-chunks.patch
+Patch6:		wavpack-0006-issue-53-error-out-on-zero-sample-rate.patch
+Patch7:		wavpack-0007-issue-54-fix-potential-out-of-bounds-heap-read.patch
 # For autoreconf
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -38,17 +40,17 @@ autoreconf -ivf
 # Debian and Buildroot recomendation:
 # WavPack "autodetects" CPU type to enable ASM code. However, the assembly code
 # for ARM is written for ARMv7 only and building WavPack for an ARM-non-v7
-# architecture will fail. 
+# architecture will fail.
 # http://lists.busybox.net/pipermail/buildroot/2015-October/142117.html
 %configure --disable-static \
-%ifarch armv3l armv4b armv4l armv4tl armv5tel armv5tejl armv6l armv6hl 
+%ifarch armv3l armv4b armv4l armv4tl armv5tel armv5tejl armv6l armv6hl
     --disable-asm \
 %endif
 
 make %{?_smp_mflags}
 
 %install
-make DESTDIR=%{buildroot} install
+%make_install
 rm -f %{buildroot}/%{_libdir}/*.la
 
 %ldconfig_scriptlets
@@ -60,7 +62,8 @@ rm -f %{buildroot}/%{_libdir}/*.la
 %{_mandir}/man1/wvgain.1*
 %{_mandir}/man1/wvunpack.1*
 %{_mandir}/man1/wvtag.1*
-%doc AUTHORS COPYING
+%doc AUTHORS
+%license COPYING
 
 %files devel
 %{_includedir}/*
@@ -69,6 +72,9 @@ rm -f %{buildroot}/%{_libdir}/*.la
 %doc ChangeLog README
 
 %changelog
+* Wed Apr 10 2019 Peter Lemenkov <lemenkov@gmail.com> - 5.1.0-12
+- Fix for CVE-2018-19840, CVE-2018-19841
+
 * Thu Feb 28 2019 Sérgio Basto <sergio@serjux.com> - 5.1.0-11
 - Make the manual pages decompression format agnostic