Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions SPECS/libsndfile/CVE-2026-37555.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
From 3cffed05c3baa3a63bc6be33ca4f57860db4cacc Mon Sep 17 00:00:00 2001
From: XananasX7 <mehdiananas007@gmail.com>
Date: Mon, 1 Jun 2026 06:27:14 +0000
Subject: [PATCH] ima_adpcm: fix signed integer overflow in sf.frames
calculations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In ima_close() and ima_reader_init(), sf.frames is calculated by
multiplying two int-typed values (samplesperblock and blockcount/blocks).
For large audio files these values can approach INT_MAX, causing signed
integer overflow (undefined behavior per C11 §6.5p5) before the result
is stored in the sf_count_t field.

Fix: pre-cast samplesperblock to sf_count_t before the multiplication,
matching the pattern already used for the AIFF branch (line 241).

Affected code paths:
- ima_close(): WAV/W64 write path (line 167)
- ima_reader_init(): W64 read path (line 235)

The AIFF branch (line 241) was already correct.

Detected by UBSan: signed integer overflow in ima_adpcm.c

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/libsndfile/libsndfile/commit/3d63704f6654e8bc02fd5b97c069e7fd6a44e44c.patch
---
src/ima_adpcm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ima_adpcm.c b/src/ima_adpcm.c
index 7464d1b..882f596 100644
--- a/src/ima_adpcm.c
+++ b/src/ima_adpcm.c
@@ -164,7 +164,7 @@ ima_close (SF_PRIVATE *psf)
if (pima->samplecount && pima->samplecount < pima->samplesperblock)
pima->encode_block (psf, pima) ;

- psf->sf.frames = pima->samplesperblock * pima->blockcount / psf->sf.channels ;
+ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blockcount / psf->sf.channels ;
} ;

return 0 ;
@@ -232,7 +232,7 @@ ima_reader_init (SF_PRIVATE *psf, int blockalign, int samplesperblock)

pima->decode_block = wavlike_ima_decode_block ;

- psf->sf.frames = pima->samplesperblock * pima->blocks ;
+ psf->sf.frames = (sf_count_t) pima->samplesperblock * pima->blocks ;
break ;

case SF_FORMAT_AIFF :
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/libsndfile/libsndfile.spec
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Library for reading and writing sound files
Name: libsndfile
Version: 1.2.2
Release: 4%{?dist}
Release: 5%{?dist}
License: BSD AND GPLv2+ AND LGPLv2+ AND MIT
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand All @@ -17,6 +17,7 @@ Patch100: CVE-2018-13419.nopatch
Patch101: CVE-2022-33065.patch
Patch102: CVE-2024-50612.patch
Patch103: CVE-2025-56226.patch
Patch104: CVE-2026-37555.patch

BuildRequires: alsa-lib-devel
BuildRequires: autogen
Expand Down Expand Up @@ -141,6 +142,9 @@ LD_LIBRARY_PATH=$PWD/src/.libs make check
%{_libdir}/pkgconfig/sndfile.pc

%changelog
* Mon Jul 06 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.2-5
- Patch for CVE-2026-37555

* Sat Jan 24 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.2.2-4
- Patch for CVE-2025-56226

Expand Down
Loading