Package init

0001-Don-t-assume-TDRC-is-an-instance-of-TextIdentificati.patch

@@ -0,0 +1,33 @@
+From eb9ded1206f18f2c319157337edea2533a40bea6 Mon Sep 17 00:00:00 2001
+From: "Stephen F. Booth" <me@sbooth.org>
+Date: Sun, 23 Jul 2017 10:11:09 -0400
+Subject: [PATCH] Don't assume TDRC is an instance of TextIdentificationFrame
+
+If TDRC is encrypted, FrameFactory::createFrame() returns UnknownFrame
+which causes problems in rebuildAggregateFrames() when it is assumed
+that TDRC is a TextIdentificationFrame
+---
+ taglib/mpeg/id3v2/id3v2framefactory.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/mpeg/id3v2/id3v2framefactory.cpp b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+index 759a9b7b..9347ab86 100644
+--- a/taglib/mpeg/id3v2/id3v2framefactory.cpp
++++ b/taglib/mpeg/id3v2/id3v2framefactory.cpp
+@@ -334,10 +334,11 @@ void FrameFactory::rebuildAggregateFrames(ID3v2::Tag *tag) const
+      tag->frameList("TDAT").size() == 1)
+   {
+     TextIdentificationFrame *tdrc =
+-      static_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
++      dynamic_cast<TextIdentificationFrame *>(tag->frameList("TDRC").front());
+     UnknownFrame *tdat = static_cast<UnknownFrame *>(tag->frameList("TDAT").front());
+ 
+-    if(tdrc->fieldList().size() == 1 &&
++    if(tdrc &&
++       tdrc->fieldList().size() == 1 &&
+        tdrc->fieldList().front().size() == 4 &&
+        tdat->data().size() >= 5)
+     {
+-- 
+2.13.5
+

CVE-2018-11439-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.-8.patch

@@ -0,0 +1,46 @@
+From 2c4ae870ec086f2ddd21a47861a3709c36faac45 Mon Sep 17 00:00:00 2001
+From: Scott Gayou <github.scott@gmail.com>
+Date: Tue, 9 Oct 2018 18:46:55 -0500
+Subject: [PATCH] Fixed OOB read when loading invalid ogg flac file. (#868)
+ (#869)
+
+CVE-2018-11439 is caused by a failure to check the minimum length
+of a ogg flac header. This header is detailed in full at:
+https://xiph.org/flac/ogg_mapping.html. Added more strict checking
+for entire header.
+
+---
+ taglib/ogg/flac/oggflacfile.cpp | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/taglib/ogg/flac/oggflacfile.cpp b/taglib/ogg/flac/oggflacfile.cpp
+index 53d04508..07ea9dcc 100644
+--- a/taglib/ogg/flac/oggflacfile.cpp
++++ b/taglib/ogg/flac/oggflacfile.cpp
+@@ -231,11 +231,21 @@ void Ogg::FLAC::File::scan()
+ 
+   if(!metadataHeader.startsWith("fLaC"))  {
+     // FLAC 1.1.2+
++    // See https://xiph.org/flac/ogg_mapping.html for the header specification.
++    if(metadataHeader.size() < 13)
++      return;
++
++    if(metadataHeader[0] != 0x7f)
++      return;
++
+     if(metadataHeader.mid(1, 4) != "FLAC")
+       return;
+ 
+-    if(metadataHeader[5] != 1)
+-      return; // not version 1
++    if(metadataHeader[5] != 1 && metadataHeader[6] != 0)
++      return; // not version 1.0
++
++    if(metadataHeader.mid(9, 4) != "fLaC")
++      return;
+ 
+     metadataHeader = metadataHeader.mid(13);
+   }
+-- 
+2.19.1
+

taglib-1.5rc1-multilib.patch

@@ -0,0 +1,20 @@
+diff -up taglib-1.5rc1/taglib-config.cmake.multilib-2 taglib-1.5rc1/taglib-config.cmake
+--- taglib-1.5rc1/taglib-config.cmake.multilib-2	2008-01-29 19:30:00.000000000 -0600
++++ taglib-1.5rc1/taglib-config.cmake	2008-02-13 06:41:11.000000000 -0600
+@@ -16,7 +16,6 @@ EOH
+ 
+ prefix=${CMAKE_INSTALL_PREFIX}
+ exec_prefix=${CMAKE_INSTALL_PREFIX}
+-libdir=${LIB_INSTALL_DIR}
+ includedir=${INCLUDE_INSTALL_DIR}
+ 
+ flags=""
+@@ -29,7 +28,7 @@ while test $# -gt 0
+ do
+   case $1 in
+     --libs)
+-	  flags="$flags -L$libdir -ltag"
++	  flags="$flags -ltag"
+ 	  ;;
+     --cflags)
+ 	  flags="$flags -I$includedir/taglib"

taglib.spec

@@ -0,0 +1,88 @@
+Name:          taglib
+Summary:       Audio Meta-Data Library
+Version:       1.11.1
+Release:       10
+License:       LGPLv2 or MPLv1.1
+URL:           https://taglib.github.io/
+Source0:       https://taglib.github.io/releases/%{name}-%{version}.tar.gz
+
+# patch0 comes from redhat
+Patch0:        taglib-1.5rc1-multilib.patch
+
+# patch1 comes from TagLib official
+Patch1:        0001-Don-t-assume-TDRC-is-an-instance-of-TextIdentificati.patch
+Patch6000:     CVE-2018-11439-Fixed-OOB-read-when-loading-invalid-ogg-flac-file.-8.patch
+
+BuildRequires: gcc gcc-c++ cmake pkgconfig zlib-devel
+
+%description
+TagLib is a library for reading and editing the meta-data of several popular
+audio formats. Currently it supports both ID3v1 and ID3v2 for MP3 files, Ogg
+Vorbis comments and ID3 tags and Vorbis comments in FLAC, MPC, Speex, WavPack
+TrueAudio, WAV, AIFF, MP4 and ASF files.
+
+%package devel
+Summary:       Development files for %{name}
+Requires:      %{name}%{?_isa} = %{version}-%{release}
+%description devel
+Files needed when building software with %{name}.
+
+%package_help
+
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+
+%build
+mkdir %{_target_platform}
+pushd %{_target_platform}
+%{cmake} .. -DCMAKE_BUILD_TYPE:STRING="Release"
+popd
+
+%make_build -C %{_target_platform}
+
+%install
+make install/fast DESTDIR=%{buildroot} -C %{_target_platform}
+
+%check
+export PKG_CONFIG_PATH=%{buildroot}%{_libdir}/pkgconfig
+test "$(pkg-config --modversion taglib)" = "%{version}"
+test "$(pkg-config --modversion taglib_c)" = "%{version}"
+
+%ldconfig_scriptlets
+
+%files
+%license AUTHORS COPYING.LGPL COPYING.MPL
+%{_libdir}/libtag*.so.*
+
+%files devel
+%{_bindir}/%{name}-config
+%{_includedir}/%{name}/
+%{_libdir}/libtag*.so
+%{_libdir}/pkgconfig/taglib*.pc
+
+%files help
+%doc NEWS examples
+
+
+%changelog
+* Mon Sep 09 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.11.1-10
+- Type: enhancement
+- ID:   NA
+- SUG:  NA
+- DESC: Add help package, remove bcond_without doc&test.
+
+* Wed Aug 21 2019 cangyi<cangyi@huawei.com> - 1.11.1-9.h2
+- Type: bugfix
+- ID:   NA
+- SUG:  NA
+- DESC: format patches
+
+* Mon Jun 03 2019 gaoyi<gaoyi15@huawei.com> - 1.11.1-9.h1
+- Type: bugfix
+- ID:   NA
+- SUG:  NA
+- DESC: backport CVE-2018-11439
+
+* Mon Jun 03 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.11.1-8
+- Package init