diff --git a/SPECS/libsndfile/CVE-2026-37555.patch b/SPECS/libsndfile/CVE-2026-37555.patch new file mode 100644 index 00000000000..96330d71994 --- /dev/null +++ b/SPECS/libsndfile/CVE-2026-37555.patch @@ -0,0 +1,57 @@ +From 3cffed05c3baa3a63bc6be33ca4f57860db4cacc Mon Sep 17 00:00:00 2001 +From: XananasX7 +Date: Mon, 1 Jun 2026 06:27:14 +0000 +Subject: [PATCH] ima_adpcm: fix signed integer overflow in sf.frames + calculations +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In ima_close() and ima_reader_init(), sf.frames is calculated by +multiplying two int-typed values (samplesperblock and blockcount/blocks). +For large audio files these values can approach INT_MAX, causing signed +integer overflow (undefined behavior per C11 ยง6.5p5) before the result +is stored in the sf_count_t field. + +Fix: pre-cast samplesperblock to sf_count_t before the multiplication, +matching the pattern already used for the AIFF branch (line 241). + +Affected code paths: +- ima_close(): WAV/W64 write path (line 167) +- ima_reader_init(): W64 read path (line 235) + +The AIFF branch (line 241) was already correct. + +Detected by UBSan: signed integer overflow in ima_adpcm.c + +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/libsndfile/libsndfile/commit/3d63704f6654e8bc02fd5b97c069e7fd6a44e44c.patch +--- + src/ima_adpcm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c +index 7464d1b..882f596 100644 +--- a/src/ima_adpcm.c ++++ b/src/ima_adpcm.c +@@ -164,7 +164,7 @@ ima_close (SF_PRIVATE *psf) + if (pima->samplecount && pima->samplecount < pima->samplesperblock) + pima->encode_block (psf, pima) ; + +- psf->sf.frames = pima->samplesperblock * pima->blockcount / psf->sf.channels ; ++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blockcount / psf->sf.channels ; + } ; + + return 0 ; +@@ -232,7 +232,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock) + + pima->decode_block = wavlike_ima_decode_block ; + +- psf->sf.frames = pima->samplesperblock * pima->blocks ; ++ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks ; + break ; + + case SF_FORMAT_AIFF : +-- +2.45.4 + diff --git a/SPECS/libsndfile/libsndfile.spec b/SPECS/libsndfile/libsndfile.spec index 78ae172f2e2..136c8582688 100644 --- a/SPECS/libsndfile/libsndfile.spec +++ b/SPECS/libsndfile/libsndfile.spec @@ -1,7 +1,7 @@ Summary: Library for reading and writing sound files Name: libsndfile Version: 1.2.2 -Release: 4%{?dist} +Release: 5%{?dist} License: BSD AND GPLv2+ AND LGPLv2+ AND MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -17,6 +17,7 @@ Patch100: CVE-2018-13419.nopatch Patch101: CVE-2022-33065.patch Patch102: CVE-2024-50612.patch Patch103: CVE-2025-56226.patch +Patch104: CVE-2026-37555.patch BuildRequires: alsa-lib-devel BuildRequires: autogen @@ -141,6 +142,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check %{_libdir}/pkgconfig/sndfile.pc %changelog +* Mon Jul 06 2026 Azure Linux Security Servicing Account - 1.2.2-5 +- Patch for CVE-2026-37555 + * Sat Jan 24 2026 Azure Linux Security Servicing Account - 1.2.2-4 - Patch for CVE-2025-56226