From b4255ab79fb332031fb3053a973b51d9e2e3d6565dd882129981a37aba1675ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= <tchvatal@suse.com>
Date: Tue, 8 Jan 2019 08:02:37 +0000
Subject: [PATCH] Accepting request 663469 from
 home:sbrabec:branches:multimedia:libs

- Fix denial-of-service (resource exhaustion caused by an infinite
  loop; bsc#1120930, CVE-2018-19840, CVE-2018-19840.patch).
- Fix denial-of-service (out-of-bounds read and application crash;
  bsc#1120929, CVE-2018-19841, CVE-2018-19841.patch).

OBS-URL: https://build.opensuse.org/request/show/663469
OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/wavpack?expand=0&rev=24
---
 CVE-2018-19840.patch | 28 ++++++++++++++++++++++++++++
 CVE-2018-19841.patch | 32 ++++++++++++++++++++++++++++++++
 wavpack.changes      |  8 ++++++++
 wavpack.spec         | 10 ++++++++--
 4 files changed, 76 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2018-19840.patch
 create mode 100644 CVE-2018-19841.patch

diff --git a/CVE-2018-19840.patch b/CVE-2018-19840.patch
new file mode 100644
index 0000000..8e7215a
--- /dev/null
+++ b/CVE-2018-19840.patch
@@ -0,0 +1,28 @@
+From 070ef6f138956d9ea9612e69586152339dbefe51 Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Thu, 29 Nov 2018 21:00:42 -0800
+Subject: [PATCH] issue #53: error out on zero sample rate
+
+---
+ src/pack_utils.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/pack_utils.c b/src/pack_utils.c
+index 2253f0d..2a83497 100644
+--- a/src/pack_utils.c
++++ b/src/pack_utils.c
+@@ -195,6 +195,11 @@ int WavpackSetConfiguration64 (WavpackContext *wpc, WavpackConfig *config, int64
+     int num_chans = config->num_channels;
+     int i;
+ 
++    if (!config->sample_rate) {
++        strcpy (wpc->error_message, "sample rate cannot be zero!");
++        return FALSE;
++    }
++
+     wpc->stream_version = (config->flags & CONFIG_COMPATIBLE_WRITE) ? CUR_STREAM_VERS : MAX_STREAM_VERS;
+ 
+     if ((config->qmode & QMODE_DSD_AUDIO) && config->bytes_per_sample == 1 && config->bits_per_sample == 8) {
+-- 
+2.20.1
+
diff --git a/CVE-2018-19841.patch b/CVE-2018-19841.patch
new file mode 100644
index 0000000..62225cf
--- /dev/null
+++ b/CVE-2018-19841.patch
@@ -0,0 +1,32 @@
+From bba5389dc598a92bdf2b297c3ea34620b6679b5b Mon Sep 17 00:00:00 2001
+From: David Bryant <david@wavpack.com>
+Date: Thu, 29 Nov 2018 21:53:51 -0800
+Subject: [PATCH] issue #54: fix potential out-of-bounds heap read
+
+---
+ src/open_utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/open_utils.c b/src/open_utils.c
+index 80051fc..4fe0d67 100644
+--- a/src/open_utils.c
++++ b/src/open_utils.c
+@@ -1258,13 +1258,13 @@ int WavpackVerifySingleBlock (unsigned char *buffer, int verify_checksum)
+ #endif
+ 
+             if (meta_bc == 4) {
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff) || *dp++ != ((csum >> 16) & 0xff) || *dp++ != ((csum >> 24) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff) || dp[2] != ((csum >> 16) & 0xff) || dp[3] != ((csum >> 24) & 0xff))
+                     return FALSE;
+             }
+             else {
+                 csum ^= csum >> 16;
+ 
+-                if (*dp++ != (csum & 0xff) || *dp++ != ((csum >> 8) & 0xff))
++                if (*dp != (csum & 0xff) || dp[1] != ((csum >> 8) & 0xff))
+                     return FALSE;
+             }
+ 
+-- 
+2.20.1
+
diff --git a/wavpack.changes b/wavpack.changes
index 14a6580..2cb156d 100644
--- a/wavpack.changes
+++ b/wavpack.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jan  7 19:29:45 CET 2019 - sbrabec@suse.com
+
+- Fix denial-of-service (resource exhaustion caused by an infinite
+  loop; bsc#1120930, CVE-2018-19840, CVE-2018-19840.patch).
+- Fix denial-of-service (out-of-bounds read and application crash;
+  bsc#1120929, CVE-2018-19841, CVE-2018-19841.patch).
+
 -------------------------------------------------------------------
 Tue Feb 20 08:48:07 UTC 2018 - kbabioch@suse.com
 
diff --git a/wavpack.spec b/wavpack.spec
index 820c391..0624aee 100644
--- a/wavpack.spec
+++ b/wavpack.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package wavpack
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -31,6 +31,10 @@ Source99:       baselibs.conf
 Patch0:         wavpack-CVE-2018-6767.patch
 Patch1:         CVE-2018-7253.patch
 Patch2:         CVE-2018-7254.patch
+# PATCH-FIX-SECURITY CVE-2018-19840.patch bsc1120930 CVE-2018-19840 sbrabec@suse.cz -- Fix denial-of-service (resource exhaustion caused by an infinite loop).
+Patch3:         CVE-2018-19840.patch
+# PATCH-FIX-SECURITY CVE-2018-19841.patch bsc1120929 CVE-2018-19841 sbrabec@suse.cz -- Fix denial-of-service (out-of-bounds read and application crash).
+Patch4:         CVE-2018-19841.patch
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 
@@ -77,6 +81,8 @@ applications that want to make use of wavpack.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 autoreconf -fiv