1 files changed, 36 insertions, 0 deletions

diff --git a/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
new file mode 100644
index 0000000000..6354f856cb
--- /dev/null
+++ b/poky/meta/recipes-multimedia/libsndfile/libsndfile1/CVE-2021-3246_1.patch
@@ -0,0 +1,36 @@
+From a9815b3f228df00086e0a40bcc43162fc19896a1 Mon Sep 17 00:00:00 2001
+From: bobsayshilol <bobsayshilol@live.co.uk>
+Date: Wed, 17 Feb 2021 23:21:48 +0000
+Subject: [PATCH 1/2] wavlike: Fix incorrect size check
+
+The SF_CART_INFO_16K struct has an additional 4 byte field to hold
+the size of 'tag_text' which the file header doesn't, so don't
+include it as part of the check when looking for the max length.
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26026
+
+Upstream-Status: Backport
+CVE: CVE-2021-3246 patch 1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ src/wavlike.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: libsndfile-1.0.28/src/wavlike.c
+===================================================================
+--- libsndfile-1.0.28.orig/src/wavlike.c
++++ libsndfile-1.0.28/src/wavlike.c
+@@ -803,7 +803,11 @@ wavlike_read_cart_chunk (SF_PRIVATE *psf
+ 		return 0 ;
+ 		} ;
+ 
+-	if (chunksize >= sizeof (SF_CART_INFO_16K))
++	/*
++	**	SF_CART_INFO_16K has an extra field 'tag_text_size' that isn't part
++	**	of the chunk, so don't include it in the size check.
++	*/
++	if (chunksize >= sizeof (SF_CART_INFO_16K) - 4)
+ 	{	psf_log_printf (psf, "cart : %u too big to be handled\n", chunksize) ;
+ 		psf_binheader_readf (psf, "j", chunksize) ;
+ 		return 0 ;