From f2c3ff8cba6b1cde8edcf1a8f83b325cf5bc9d95 Mon Sep 17 00:00:00 2001
From: Simeon Prause <simeon.prause@icloud.com>
Date: Sun, 21 Sep 2025 14:38:34 +0000
Subject: [PATCH] gnu: audiofile: Update to 0.3.6 [security-fix].
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* gnu/packages/audio.scm (audiofile): Update to 0.3.6.

Change-Id: I2dda621f60c27e02b1513e2d89a138136a1633ca
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 gnu/local.mk                                  |  1 +
 gnu/packages/audio.scm                        |  3 +-
 .../patches/audiofile-CVE-2022-24599.patch    | 83 +++++++++++++++++++
 3 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/audiofile-CVE-2022-24599.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index afea357c2c28c12270e41d6ef36b9177fdffb3d8..ab53474192f2a56148f5f492d09886c13e5a176a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1012,6 +1012,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/audiofile-CVE-2015-7747.patch		\
   %D%/packages/patches/audiofile-CVE-2018-13440.patch		\
   %D%/packages/patches/audiofile-CVE-2018-17095.patch		\
+  %D%/packages/patches/audiofile-CVE-2022-24599.patch		\
   %D%/packages/patches/audiofile-check-number-of-coefficients.patch \
   %D%/packages/patches/audiofile-Fail-on-error-in-parseFormat.patch \
   %D%/packages/patches/audiofile-Fix-index-overflow-in-IMA.cpp.patch \
diff --git a/gnu/packages/audio.scm b/gnu/packages/audio.scm
index 03bc811022c62b9da2b8d0e64f8d347ebf4ddb79..19756d23e4a72a74fc417ccb83e17fa3733fa18c 100644
--- a/gnu/packages/audio.scm
+++ b/gnu/packages/audio.scm
@@ -1444,7 +1444,8 @@ tools.")
          ;; CVE-2017-6833:
          "audiofile-division-by-zero.patch"
          "audiofile-CVE-2018-13440.patch"
-         "audiofile-CVE-2018-17095.patch"))))
+         "audiofile-CVE-2018-17095.patch"
+         "audiofile-CVE-2022-24599.patch"))))
     (properties `((lint-hidden-cve . ("CVE-2017-6829"
 
                                       "CVE-2017-6827" "CVE-2017-6828"
diff --git a/gnu/packages/patches/audiofile-CVE-2022-24599.patch b/gnu/packages/patches/audiofile-CVE-2022-24599.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9299f6ea8239517d9f5beee3340fb4d8b9ef0c58
--- /dev/null
+++ b/gnu/packages/patches/audiofile-CVE-2022-24599.patch
@@ -0,0 +1,83 @@
+commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4
+Author: Bastien Roucariès <rouca@debian.org>
+Date:   Sat Nov 11 15:58:50 2023 +0000
+
+    Fix CVE-2022-24599
+    
+    Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer
+    with a user declared string.
+    
+    Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
+    for printf
+    
+    Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
+    
+    Before under valgrind:
+    libtool --mode=execute valgrind --track-origins=yes  ./sfinfo heapleak_poc.aiff
+    
+    Duration       -inf seconds
+    ==896222== Invalid read of size 1
+    ==896222==    at 0x4846794: strlen (vg_replace_strmem.c:494)
+    ==896222==    by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
+    ==896222==    by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
+    ==896222==    by 0x49DE986: __printf_chk (printf_chk.c:33)
+    ==896222==    by 0x10985C: printf (stdio2.h:86)
+    ==896222==    by 0x10985C: printfileinfo (printinfo.c:134)
+    ==896222==    by 0x10930A: main (sfinfo.c:113)
+    ==896222==  Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
+    ==896222==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
+    ==896222==    by 0x109825: copyrightstring (printinfo.c:163)
+    ==896222==    by 0x109825: printfileinfo (printinfo.c:131)
+    ==896222==    by 0x10930A: main (sfinfo.c:113)
+    ==896222==
+    Copyright      C
+    
+    After:
+    Duration       -inf seconds
+    Copyright      C
+
+diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
+index 60e6947..f5cf925 100644
+--- a/sfcommands/printinfo.c
++++ b/sfcommands/printinfo.c
+@@ -37,6 +37,7 @@
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <limits.h>
+ 
+ static char *copyrightstring (AFfilehandle file);
+ 
+@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
+ 	int		i, misccount;
+ 
+ 	misccount = afGetMiscIDs(file, NULL);
+-	miscids = (int *) malloc(sizeof (int) * misccount);
++	if(!misccount)
++		return NULL;
++	miscids = (int *) calloc(misccount, sizeof(int));
++	if(!miscids)
++		return NULL;
+ 	afGetMiscIDs(file, miscids);
+ 
+ 	for (i=0; i<misccount; i++)
+@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
+ 			If this code executes, the miscellaneous chunk is a
+ 			copyright chunk.
+ 		*/
+-		int datasize = afGetMiscSize(file, miscids[i]);
+-		char *data = (char *) malloc(datasize);
++		size_t datasize = afGetMiscSize(file, miscids[i]);
++		if(datasize >= INT_MAX -1 ) {
++			goto error;
++		}
++		char *data = (char *) calloc(datasize + 1, 1);
+ 		afReadMisc(file, miscids[i], data, datasize);
+ 		copyright = data;
+ 		break;
+ 	}
+-
++error:
+ 	free(miscids);
+ 
+ 	return copyright;