From 1289606e0236ff9b3bd35a08e3560f2d1fb8bc53 Mon Sep 17 00:00:00 2001
From: c0bw3b <c0bw3b@users.noreply.github.com>
Date: Mon, 11 Nov 2019 17:50:37 +0100
Subject: mpg321: fix CVE-2018-7263

Close #57154
Close #70105
---
 pkgs/applications/audio/mpg321/default.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'pkgs/applications/audio/mpg321')

diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix
index 65dfe3484b6..fdefcf7e77d 100644
--- a/pkgs/applications/audio/mpg321/default.nix
+++ b/pkgs/applications/audio/mpg321/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchurl, libao, libmad, libid3tag, zlib, alsaLib
+{stdenv, fetchurl, fetchpatch, libao, libmad, libid3tag, zlib, alsaLib
 # Specify default libao output plugin to use (e.g. "alsa", "pulse" …).
 # If null, it will use the libao system default.
 , defaultAudio ? null
@@ -13,6 +13,14 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2018-7263.patch";
+      url = "https://sources.debian.org/data/main/m/mpg321/0.3.2-3/debian/patches/handle_illegal_bitrate_value.patch";
+      sha256 = "15simp5fjvm9b024ryfh441rkh2d5bcrizqkzlrh07n9sm7fkw6x";
+    })
+  ];
+
   hardeningDisable = [ "format" ];
 
   configureFlags =
-- 
cgit 1.4.1