opusfile: apply patch for CVE-2022-47021

Upstream issue: https://github.com/xiph/opusfile/issues/36

1 files changed, 9 insertions, 2 deletions

diff --git a/pkgs/applications/audio/opusfile/default.nix b/pkgs/applications/audio/opusfile/default.nix
index f86595361b6..47d7a64e3c2 100644
--- a/pkgs/applications/audio/opusfile/default.nix
+++ b/pkgs/applications/audio/opusfile/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, pkg-config, openssl, libogg, libopus }:
+{ lib, stdenv, fetchurl, pkg-config, openssl, libogg, libopus, fetchpatch }:
 
 stdenv.mkDerivation rec {
   pname = "opusfile";
@@ -12,7 +12,14 @@ stdenv.mkDerivation rec {
   buildInputs = [ openssl libogg ];
   propagatedBuildInputs = [ libopus ];
   outputs = [ "out" "dev" ];
-  patches = [ ./include-multistream.patch ]
+  patches = [
+    ./include-multistream.patch
+    (fetchpatch {
+      name = "CVE-2022-47021.patch";
+      url = "https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5.patch";
+      sha256 = "sha256-XThI/ys5caB+OncFVfxm5IsvQPy1MbLQKwIlYjPvTJQ=";
+    })
+  ]
     # fixes problem with openssl 1.1 dependency
     # see https://github.com/xiph/opusfile/issues/13
     ++ lib.optionals stdenv.hostPlatform.isWindows [ ./disable-cert-store.patch ];