6 changed files with 316 additions and 56 deletions
--- a/.flac.metadata
+++ b/.flac.metadata
@ -1 +1 @@
-a8c36ac8c6e2df8611aab9590bb9e6bdf646c0e1 SOURCES/flac-1.4.3.tar.xz
+6ac2e8f1dd18c9b0214c4d81bd70cdc1e943cffe SOURCES/flac-1.3.3.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/flac-1.4.3.tar.xz
+SOURCES/flac-1.3.3.tar.xz
--- a/SOURCES/flac-cve-2020-0499.patch
+++ b/SOURCES/flac-cve-2020-0499.patch
@ -0,0 +1,23 @@
+commit 2e7931c27eb15e387da440a37f12437e35b22dd4
+Author: Erik de Castro Lopo <erikd@mega-nerd.com>
+Date:   Mon Oct 7 12:55:58 2019 +1100
+
+    libFLAC/bitreader.c: Fix out-of-bounds read
+    
+    Credit: Oss-Fuzz
+    Issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=17069
+    Testcase: fuzzer_decoder-5670265022840832
+
+diff --git a/src/libFLAC/bitreader.c b/src/libFLAC/bitreader.c
+index 5e4b5918..3df4d02c 100644
+--- a/src/libFLAC/bitreader.c
+++ b/src/libFLAC/bitreader.c
+@@ -869,7 +869,7 @@ incomplete_lsbs:
+ 			cwords = br->consumed_words;
+ 			words = br->words;
+ 			ucbits = FLAC__BITS_PER_WORD - br->consumed_bits;
+-			b = br->buffer[cwords] << br->consumed_bits;
+			b = cwords < br->capacity ? br->buffer[cwords] << br->consumed_bits : 0;
+ 		} while(cwords >= words && val < end);
+ 	}
+ 
--- a/SOURCES/flac-cve-2020-22219.patch
+++ b/SOURCES/flac-cve-2020-22219.patch
@ -0,0 +1,182 @@
+commit 21fe95ee828b0b9b944f6aa0bb02d24fbb981815
+Author: Martijn van Beurden <mvanb1@gmail.com>
+Date:   Wed Aug 3 13:52:19 2022 +0200
+
+    Add and use _nofree variants of safe_realloc functions
+    
+    Parts of the code use realloc like
+    
+    x = safe_realloc(x, somesize);
+    
+    when this is the case, the safe_realloc variant used must free the
+    old memory block in case it fails, otherwise it will leak. However,
+    there are also instances in the code where handling is different:
+    
+    if (0 == (x = safe_realloc(y, somesize)))
+        return false
+    
+    in this case, y should not be freed, as y is not set to NULL we
+    could encounter double frees. Here the safe_realloc_nofree
+    functions are used.
+
+diff --git a/include/share/alloc.h b/include/share/alloc.h
+index 9b53b010..74f444d6 100644
+--- a/include/share/alloc.h
+++ b/include/share/alloc.h
+@@ -161,17 +161,30 @@ static inline void *safe_realloc_(void *ptr, size_t size)
+ 		free(oldptr);
+ 	return newptr;
+ }
+-static inline void *safe_realloc_add_2op_(void *ptr, size_t size1, size_t size2)
+static inline void *safe_realloc_nofree_add_2op_(void *ptr, size_t size1, size_t size2)
+{
+	size2 += size1;
+	if(size2 < size1)
+		return 0;
+	return realloc(ptr, size2);
+}
+
+static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+ 	size2 += size1;
+ 	if(size2 < size1) {
+ 		free(ptr);
+ 		return 0;
+ 	}
+-	return realloc(ptr, size2);
+	size3 += size2;
+	if(size3 < size2) {
+		free(ptr);
+		return 0;
+	}
+	return safe_realloc_(ptr, size3);
+ }
+ 
+-static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+static inline void *safe_realloc_nofree_add_3op_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+ 	size2 += size1;
+ 	if(size2 < size1)
+@@ -182,7 +195,7 @@ static inline void *safe_realloc_add_3op_(void *ptr, size_t size1, size_t size2,
+ 	return realloc(ptr, size3);
+ }
+ 
+-static inline void *safe_realloc_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
+static inline void *safe_realloc_nofree_add_4op_(void *ptr, size_t size1, size_t size2, size_t size3, size_t size4)
+ {
+ 	size2 += size1;
+ 	if(size2 < size1)
+@@ -207,6 +220,15 @@ static inline void *safe_realloc_mul_2op_(void *ptr, size_t size1, size_t size2)
+ 	return safe_realloc_(ptr, size1*size2);
+ }
+ 
+static inline void *safe_realloc_nofree_mul_2op_(void *ptr, size_t size1, size_t size2)
+{
+	if(!size1 || !size2)
+		return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
+	if(size1 > SIZE_MAX / size2)
+		return 0;
+	return realloc(ptr, size1*size2);
+}
+
+ /* size1 * (size2 + size3) */
+ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
+ {
+@@ -220,4 +242,15 @@ static inline void *safe_realloc_muladd2_(void *ptr, size_t size1, size_t size2,
+ 	return safe_realloc_mul_2op_(ptr, size1, size2);
+ }
+ 
+/* size1 * (size2 + size3) */
+static inline void *safe_realloc_nofree_muladd2_(void *ptr, size_t size1, size_t size2, size_t size3)
+{
+	if(!size1 || (!size2 && !size3))
+		return realloc(ptr, 0); /* preserve POSIX realloc(ptr, 0) semantics */
+	size2 += size3;
+	if(size2 < size3)
+		return 0;
+	return safe_realloc_nofree_mul_2op_(ptr, size1, size2);
+}
+
+ #endif
+diff --git a/src/flac/encode.c b/src/flac/encode.c
+index a7d1f7b2..b82ced76 100644
+--- a/src/flac/encode.c
+++ b/src/flac/encode.c
+@@ -1734,10 +1734,10 @@ static void static_metadata_clear(static_metadata_t *m)
+ static FLAC__bool static_metadata_append(static_metadata_t *m, FLAC__StreamMetadata *d, FLAC__bool needs_delete)
+ {
+ 	void *x;
+-	if(0 == (x = safe_realloc_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+	if(0 == (x = safe_realloc_nofree_muladd2_(m->metadata, sizeof(*m->metadata), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+ 		return false;
+ 	m->metadata = (FLAC__StreamMetadata**)x;
+-	if(0 == (x = safe_realloc_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+	if(0 == (x = safe_realloc_nofree_muladd2_(m->needs_delete, sizeof(*m->needs_delete), /*times (*/m->num_metadata, /*+*/1/*)*/)))
+ 		return false;
+ 	m->needs_delete = (FLAC__bool*)x;
+ 	m->metadata[m->num_metadata] = d;
+diff --git a/src/flac/foreign_metadata.c b/src/flac/foreign_metadata.c
+index 9a1fb96c..c86dff42 100644
+--- a/src/flac/foreign_metadata.c
+++ b/src/flac/foreign_metadata.c
+@@ -74,7 +74,7 @@ static FLAC__bool copy_data_(FILE *fin, FILE *fout, size_t size, const char **er
+ 
+ static FLAC__bool append_block_(foreign_metadata_t *fm, FLAC__off_t offset, FLAC__uint32 size, const char **error)
+ {
+-	foreign_block_t *fb = safe_realloc_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
+	foreign_block_t *fb = safe_realloc_nofree_muladd2_(fm->blocks, sizeof(foreign_block_t), /*times (*/fm->num_blocks, /*+*/1/*)*/);
+ 	if(fb) {
+ 		fb[fm->num_blocks].offset = offset;
+ 		fb[fm->num_blocks].size = size;
+diff --git a/src/libFLAC/bitwriter.c b/src/libFLAC/bitwriter.c
+index 79ab8649..8865a2f4 100644
+--- a/src/libFLAC/bitwriter.c
+++ b/src/libFLAC/bitwriter.c
+@@ -133,7 +133,7 @@ FLAC__bool bitwriter_grow_(FLAC__BitWriter *bw, uint32_t bits_to_add)
+ 	FLAC__ASSERT(new_capacity > bw->capacity);
+ 	FLAC__ASSERT(new_capacity >= bw->words + ((bw->bits + bits_to_add + FLAC__BITS_PER_WORD - 1) / FLAC__BITS_PER_WORD));
+ 
+-	new_buffer = safe_realloc_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
+	new_buffer = safe_realloc_nofree_mul_2op_(bw->buffer, sizeof(bwword), /*times*/new_capacity);
+ 	if(new_buffer == 0)
+ 		return false;
+ 	bw->buffer = new_buffer;
+diff --git a/src/libFLAC/metadata_object.c b/src/libFLAC/metadata_object.c
+index 7cc8ee9f..2c7da8db 100644
+--- a/src/libFLAC/metadata_object.c
+++ b/src/libFLAC/metadata_object.c
+@@ -98,7 +98,7 @@ static FLAC__bool free_copy_bytes_(FLAC__byte **to, const FLAC__byte *from, uint
+ /* realloc() failure leaves entry unchanged */
+ static FLAC__bool ensure_null_terminated_(FLAC__byte **entry, uint32_t length)
+ {
+-	FLAC__byte *x = safe_realloc_add_2op_(*entry, length, /*+*/1);
+	FLAC__byte *x = safe_realloc_nofree_add_2op_(*entry, length, /*+*/1);
+ 	if (x != NULL) {
+ 		x[length] = '\0';
+ 		*entry = x;
+diff --git a/src/plugin_common/tags.c b/src/plugin_common/tags.c
+index e9227444..ffd846b6 100644
+--- a/src/plugin_common/tags.c
+++ b/src/plugin_common/tags.c
+@@ -317,7 +317,7 @@ FLAC__bool FLAC_plugin__tags_add_tag_utf8(FLAC__StreamMetadata *tags, const char
+ 		const size_t value_len = strlen(value);
+ 		const size_t separator_len = strlen(separator);
+ 		FLAC__byte *new_entry;
+-		if(0 == (new_entry = safe_realloc_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
+		if(0 == (new_entry = safe_realloc_nofree_add_4op_(entry->entry, entry->length, /*+*/value_len, /*+*/separator_len, /*+*/1)))
+ 			return false;
+ 		memcpy(new_entry+entry->length, separator, separator_len);
+ 		entry->length += separator_len;
+diff --git a/src/share/utf8/iconvert.c b/src/share/utf8/iconvert.c
+index 8ab53c10..876c06e8 100644
+--- a/src/share/utf8/iconvert.c
+++ b/src/share/utf8/iconvert.c
+@@ -149,7 +149,7 @@ int iconvert(const char *fromcode, const char *tocode,
+       iconv_close(cd1);
+       return ret;
+     }
+-    newbuf = safe_realloc_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
+    newbuf = safe_realloc_nofree_add_2op_(utfbuf, (ob - utfbuf), /*+*/1);
+     if (!newbuf)
+       goto fail;
+     ob = (ob - utfbuf) + newbuf;
--- a/SOURCES/flac-cve-2021-0561.patch
+++ b/SOURCES/flac-cve-2021-0561.patch
@ -0,0 +1,28 @@
+commit e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be
+Author: Neelkamal Semwal <neelkamal.semwal@ittiam.com>
+Date:   Fri Dec 18 22:28:36 2020 +0530
+
+    libFlac: Exit at EOS in verify mode
+    
+    When verify mode is enabled, once decoder flags end of stream,
+    encode processing is considered complete.
+    
+    CVE-2021-0561
+    
+    Signed-off-by: Ralph Giles <giles@thaumas.net>
+
+diff --git a/src/libFLAC/stream_encoder.c b/src/libFLAC/stream_encoder.c
+index 4c91247f..7109802c 100644
+--- a/src/libFLAC/stream_encoder.c
+++ b/src/libFLAC/stream_encoder.c
+@@ -2610,7 +2610,9 @@ FLAC__bool write_bitbuffer_(FLAC__StreamEncoder *encoder, uint32_t samples, FLAC
+ 			encoder->private_->verify.needs_magic_hack = true;
+ 		}
+ 		else {
+-			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)) {
+			if(!FLAC__stream_decoder_process_single(encoder->private_->verify.decoder)
+			    || (!is_last_block
+				    && (FLAC__stream_encoder_get_verify_decoder_state(encoder) == FLAC__STREAM_DECODER_END_OF_STREAM))) {
+ 				FLAC__bitwriter_release_buffer(encoder->private_->frame);
+ 				FLAC__bitwriter_clear(encoder->private_->frame);
+ 				if(encoder->protected_->state != FLAC__STREAM_ENCODER_VERIFY_MISMATCH_IN_AUDIO_DATA)
--- a/SPECS/flac.spec
+++ b/SPECS/flac.spec
@ -1,15 +1,36 @@
+# Disable if you don't need xmms
+%global with_xmms !0%{?rhel}
+
+%if %{with_xmms}
+%define xmms_inputdir %(xmms-config --input-plugin-dir 2>/dev/null || echo %{_libdir}/xmms/General)
+%endif
+
 Summary: An encoder/decoder for the Free Lossless Audio Codec
 Name: flac
-Version: 1.4.3
-Release: 6%{?dist}
-License: BSD-3-Clause AND GPL-2.0-or-later AND GFDL-1.1-or-later
+Version: 1.3.3
+Release: 10%{?dist}.1
+License: BSD and GPLv2+ and GFDL
 Source0: https://downloads.xiph.org/releases/flac/flac-%{version}.tar.xz
 URL: https://www.xiph.org/flac/
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 BuildRequires: libogg-devel
 BuildRequires: gcc gcc-c++ automake autoconf libtool gettext-devel doxygen
+%if %{with_xmms}
+BuildRequires: xmms-devel desktop-file-utils
+Source1: xmms-flac.desktop
+%endif
+%ifarch %{ix86}
+# 2.0 supports symbol visibility
+BuildRequires: nasm >= 2.0
+%endif
 BuildRequires: make

+Patch1: flac-cve-2020-0499.patch
+# handle end-of-stream when encoding with verification
+Patch2: flac-cve-2021-0561.patch
+# don't free memory that is still used after realloc() error
+Patch3: flac-cve-2020-22219.patch
+
 %description
 FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC
 is similar to Ogg Vorbis, but lossless. The FLAC project consists of
@ -23,8 +44,6 @@ This package contains the command-line tools and documentation.
 %package libs
 Summary: Libraries for the Free Lossless Audio Codec
 Obsoletes: flac < 1.2.1-11
-# xmms-flac dropped in 1.3.3-8
-Obsoletes: xmms-flac < 1.3.3-8

 %description libs
 FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC
@ -44,15 +63,38 @@ Requires: pkgconfig
 This package contains all the files needed to develop applications that
 will use the Free Lossless Audio Codec.

+%if %{with_xmms}
+%package -n xmms-flac
+Summary: XMMS plugin needed to play FLAC (Free Lossless Audio Codec) files
+# The entire FLAC sources are covered by multiple licenses, but the xmms plugin
+# is only GPLv2+
+License: GPLv2+
+
+%description -n xmms-flac
+FLAC is a Free Lossless Audio Codec. The FLAC format supports streaming,
+seeking, and archival, and gives 25-75% compression on typical CD audio.
+This is the input plugin for XMMS to be able to read FLAC files.
+%endif
+
 %prep
 %setup -q
+%patch1 -p1 -b .cve-2020-0499
+%patch2 -p1 -b .cve-2021-0561
+%patch3 -p1 -b .cve-2020-22219

 %build
 # use our libtool to avoid problems with RPATH
 ./autogen.sh -V

+# -funroll-loops makes encoding about 10% faster
+export CFLAGS="%{optflags} -funroll-loops"
 %configure \
    --htmldir=%{_docdir}/flac/html \
+%if %{with_xmms}
+    --enable-xmms-plugin \
+%else
+    --disable-xmms-plugin \
+%endif
    --disable-silent-rules \
    --disable-thorough-tests

@ -61,8 +103,20 @@ will use the Free Lossless Audio Codec.
 %install
 %make_install

-rm -r %{buildroot}%{_docdir}/flac
+%if %{with_xmms} 
+desktop-file-install --dir=%{buildroot}%{_datadir}/applications %{SOURCE1}
+%endif
+
+# split documentation
+mv %{buildroot}%{_docdir}/flac* ./flac-doc
+mkdir -p flac-doc-devel
+mv flac-doc{/html/api,-devel}
+rm flac-doc/FLAC.tag
+
 rm %{buildroot}%{_libdir}/*.la
+%if %{with_xmms}
+rm %{buildroot}%{xmms_inputdir}/*.la
+%endif

 %check
 make check
@ -70,70 +124,43 @@ make check
 %ldconfig_scriptlets libs

 %files
+%doc flac-doc/*
 %{_bindir}/flac
 %{_bindir}/metaflac
 %{_mandir}/man1/*

 %files libs
-%doc AUTHORS README.md CHANGELOG.md
-%license COPYING.*
-%{_libdir}/libFLAC.so.12*
-%{_libdir}/libFLAC++.so.10*
+%doc AUTHORS COPYING* README
+%{_libdir}/libFLAC.so.8*
+%{_libdir}/libFLAC++.so.6*

 %files devel
-%doc doc/api
+%doc flac-doc-devel/*
 %{_includedir}/*
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*
 %{_datadir}/aclocal/*.m4

-%changelog
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.4.3-6
- Bump release for October 2024 mass rebuild:
-  Resolves: RHEL-64018
-
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.4.3-5
- Bump release for June 2024 mass rebuild
-
-* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.3-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+%if %{with_xmms}
+%files -n xmms-flac
+%license COPYING.GPL
+%{_datadir}/applications/xmms-flac.desktop
+%{xmms_inputdir}/libxmms-flac.so
+%endif

-* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Tue Jun 27 2023 Miroslav Lichvar <mlichvar@redhat.com> 1.4.3-1
- update to 1.4.3
- convert license tag to SPDX
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.4.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Mon Oct 24 2022 Miroslav Lichvar <mlichvar@redhat.com> 1.4.2-1
- update to 1.4.2
-
-* Mon Sep 26 2022 Miroslav Lichvar <mlichvar@redhat.com> 1.4.1-1
- update to 1.4.1
-
-* Mon Sep 12 2022 Miroslav Lichvar <mlichvar@redhat.com> 1.4.0-1
- update to 1.4.0
-
-* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Thu Feb 24 2022 Miroslav Lichvar <mlichvar@redhat.com> 1.3.4-1
- update to 1.3.4 (CVE-2021-0561)
+%changelog
+* Thu Aug 31 2023 Miroslav Lichvar <mlichvar@redhat.com> 1.3.3-10.el9_2.1
+- don't free memory that is still used after realloc() error (CVE-2020-22219)

-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+* Thu May 05 2022 Miroslav Lichvar <mlichvar@redhat.com> 1.3.3-10
+- handle end-of-stream when encoding with verification (CVE-2021-0561)

-* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.3-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.3-9
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688

-* Mon May 31 2021 Miroslav Lichvar <mlichvar@redhat.com> 1.3.3-8
- drop xmms plugin (#1965618)
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.3-8
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937

 * Fri Feb 19 2021 Adam Jackson <ajax@redhat.com> - 1.3.3-7
 - Fix the previous change to actually build in RHEL