!2 Fix CVE-2021-21417

From: @wangxiao65
Reviewed-by: @small_leek
Signed-off-by: @small_leek

CVE-2021-21417-1.patch

@@ -0,0 +1,94 @@
+From 67596a87731dc593551975ca0268a438ab7410a2 Mon Sep 17 00:00:00 2001
+From: derselbst <tom.mbrt@googlemail.com>
+Date: Sun, 14 Mar 2021 10:58:13 +0100
+Subject: [PATCH] Invalid generator were not removed from list
+
+fluid_list_remove() should receive the beginning of a list, so it can
+adjust the predecessor of the ele
+ment to be removed. Otherwise the element would remain in the list,
+which in this case led to a use-aft
+er-free afterwards.
+
+---
+ src/sfloader/fluid_defsfont.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+diff --git a/src/sfloader/fluid_defsfont.c b/src/sfloader/fluid_defsfont.c
+index 0330de5..fc68d34 100644
+--- a/src/sfloader/fluid_defsfont.c
++++ b/src/sfloader/fluid_defsfont.c
+@@ -2706,7 +2706,7 @@ load_pmod (int size, SFData * sf, FILE * fd)
+ static int
+ load_pgen (int size, SFData * sf, FILE * fd)
+ {
+-  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+   SFZone *z;
+   SFGen *g;
+   SFGenAmount genval;
+@@ -2718,7 +2718,7 @@ load_pgen (int size, SFData * sf, FILE * fd)
+     {				/* traverse through all presets */
+       gzone = FALSE;
+       discarded = FALSE;
+-      p2 = ((SFPreset *) (p->data))->zone;
++      start_of_zone_list = p2 = ((SFPreset *) (p->data))->zone;
+       if (p2)
+ 	hz = &p2;
+       while (p2)
+@@ -2828,12 +2828,14 @@ load_pgen (int size, SFData * sf, FILE * fd)
+ 		    }
+ 		}
+ 	      else
+-		{		/* previous global zone exists, discard */
++		{
++		  SFZone * pzone = fluid_list_get(p2);
++		  /* previous global zone exists, discard */
+ 		  FLUID_LOG (FLUID_WARN,
+ 		    _("Preset \"%s\": Discarding invalid global zone"),
+ 		    ((SFPreset *) (p->data))->name);
+-		  *hz = fluid_list_remove(*hz, p2->data);
+-		  sfont_free_zone((SFZone *)fluid_list_get(p2));
++		  *hz = fluid_list_remove(start_of_zone_list, pzone);
++		  sfont_free_zone(pzone);
+ 		}
+ 	    }
+ 
+@@ -3058,7 +3060,7 @@ load_imod (int size, SFData * sf, FILE * fd)
+ static int
+ load_igen (int size, SFData * sf, FILE * fd)
+ {
+-  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL;
++  fluid_list_t *p, *p2, *p3, *dup, **hz = NULL, *start_of_zone_list;
+   SFZone *z;
+   SFGen *g;
+   SFGenAmount genval;
+@@ -3070,7 +3072,7 @@ load_igen (int size, SFData * sf, FILE * fd)
+     {				/* traverse through all instruments */
+       gzone = FALSE;
+       discarded = FALSE;
+-      p2 = ((SFInst *) (p->data))->zone;
++      start_of_zone_list = p2 = ((SFInst *) (p->data))->zone;
+       if (p2)
+ 	hz = &p2;
+       while (p2)
+@@ -3179,12 +3181,14 @@ load_igen (int size, SFData * sf, FILE * fd)
+ 		    }
+ 		}
+ 	      else
+-		{		/* previous global zone exists, discard */
++		{
++		  SFZone * izone = fluid_list_get(p2);
++		  /* previous global zone exists, discard */
+ 		  FLUID_LOG (FLUID_WARN,
+ 		    _("Instrument \"%s\": Discarding invalid global zone"),
+ 		    ((SFInst *) (p->data))->name);
+-		  *hz = fluid_list_remove(*hz, p2->data);
+-		  sfont_free_zone((SFZone *)fluid_list_get(p2));
++		  *hz = fluid_list_remove(start_of_zone_list, izone);
++		  sfont_free_zone(izone);
+ 		}
+ 	    }
+ 
+-- 
+2.23.0
+

CVE-2021-21417-2.patch

@@ -0,0 +1,52 @@
+From 6673a5f73c0484f8462b4b33860d2b1c68c24684 Mon Sep 17 00:00:00 2001
+From: Tom M <tom.mbrt@googlemail.com>
+Date: Sun, 14 Mar 2021 20:23:38 +0100
+Subject: [PATCH] Update fluid_sffile.c
+
+---
+ src/sfloader/fluid_defsfont.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/src/sfloader/fluid_defsfont.c b/src/sfloader/fluid_defsfont.c
+index fc68d34..9663a40 100644
+--- a/src/sfloader/fluid_defsfont.c
++++ b/src/sfloader/fluid_defsfont.c
+@@ -2829,13 +2829,14 @@ load_pgen (int size, SFData * sf, FILE * fd)
+ 		}
+ 	      else
+ 		{
+-		  SFZone * pzone = fluid_list_get(p2);
++		  p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ 		  /* previous global zone exists, discard */
+ 		  FLUID_LOG (FLUID_WARN,
+ 		    _("Preset \"%s\": Discarding invalid global zone"),
+ 		    ((SFPreset *) (p->data))->name);
+-		  *hz = fluid_list_remove(start_of_zone_list, pzone);
+-		  sfont_free_zone(pzone);
++		  fluid_list_remove(start_of_zone_list, z);
++		  sfont_free_zone(z);
++		  continue;
+ 		}
+ 	    }
+ 
+@@ -3182,13 +3183,14 @@ load_igen (int size, SFData * sf, FILE * fd)
+ 		}
+ 	      else
+ 		{
+-		  SFZone * izone = fluid_list_get(p2);
++		  p2 = fluid_list_next(p2); /* advance to next zone before deleting the current list element */
+ 		  /* previous global zone exists, discard */
+ 		  FLUID_LOG (FLUID_WARN,
+ 		    _("Instrument \"%s\": Discarding invalid global zone"),
+ 		    ((SFInst *) (p->data))->name);
+-		  *hz = fluid_list_remove(start_of_zone_list, izone);
+-		  sfont_free_zone(izone);
++		  fluid_list_remove(start_of_zone_list, z);
++		  sfont_free_zone(z);
++		  continue;
+ 		}
+ 	    }
+ 
+-- 
+2.23.0
+

CVE-2021-21417-pre.patch

@@ -0,0 +1,66 @@
+From f83c49d6fa7f1ec4818cb9e920e30adc827d28bf Mon Sep 17 00:00:00 2001
+From: Marcus Weseloh <marcus@weseloh.cc>
+Date: Wed, 4 Apr 2018 11:03:47 +0200
+Subject: [PATCH] Remove sfont_zone_delete, replace with direct
+invocations instead
+
+---
+ src/sfloader/fluid_defsfont.c | 14 ++++----------
+ src/sfloader/fluid_defsfont.h |  2 --
+ 2 files changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/src/sfloader/fluid_defsfont.c b/src/sfloader/fluid_defsfont.c
+index 231d248..0330de5 100644
+--- a/src/sfloader/fluid_defsfont.c
++++ b/src/sfloader/fluid_defsfont.c
+@@ -2832,7 +2832,8 @@ load_pgen (int size, SFData * sf, FILE * fd)
+ 		  FLUID_LOG (FLUID_WARN,
+ 		    _("Preset \"%s\": Discarding invalid global zone"),
+ 		    ((SFPreset *) (p->data))->name);
+-		  sfont_zone_delete (sf, hz, (SFZone *) (p2->data));
++		  *hz = fluid_list_remove(*hz, p2->data);
++		  sfont_free_zone((SFZone *)fluid_list_get(p2));
+ 		}
+ 	    }
+ 
+@@ -3182,7 +3183,8 @@ load_igen (int size, SFData * sf, FILE * fd)
+ 		  FLUID_LOG (FLUID_WARN,
+ 		    _("Instrument \"%s\": Discarding invalid global zone"),
+ 		    ((SFInst *) (p->data))->name);
+-		  sfont_zone_delete (sf, hz, (SFZone *) (p2->data));
++		  *hz = fluid_list_remove(*hz, p2->data);
++		  sfont_free_zone((SFZone *)fluid_list_get(p2));
+ 		}
+ 	    }
+ 
+@@ -3566,14 +3568,6 @@ sfont_preset_compare_func (void* a, void* b)
+   return (aval - bval);
+ }
+ 
+-/* delete zone from zone list */
+-void
+-sfont_zone_delete (SFData * sf, fluid_list_t ** zlist, SFZone * zone)
+-{
+-  *zlist = fluid_list_remove (*zlist, (void*) zone);
+-  sfont_free_zone (zone);
+-}
+-
+ /* Find generator in gen list */
+ fluid_list_t *
+ gen_inlist (int gen, fluid_list_t * genlist)
+diff --git a/src/sfloader/fluid_defsfont.h b/src/sfloader/fluid_defsfont.h
+index 0d5c6c0..d1ceac1 100644
+--- a/src/sfloader/fluid_defsfont.h
++++ b/src/sfloader/fluid_defsfont.h
+@@ -222,8 +222,6 @@ void sfont_close (SFData * sf);
+ void sfont_free_zone (SFZone * zone);
+ int sfont_preset_compare_func (void* a, void* b);
+ 
+-void sfont_zone_delete (SFData * sf, fluid_list_t ** zlist, SFZone * zone);
+-
+ fluid_list_t *gen_inlist (int gen, fluid_list_t * genlist);
+ int gen_valid (int gen);
+ int gen_validp (int gen);
+-- 
+2.23.0
+

fluidsynth.spec

@@ -1,12 +1,15 @@
 Name:          fluidsynth
 Version:       1.1.11
-Release:       3
+Release:       4
 Summary:       Real-time software synthesizer
 License:       LGPLv2+
 URL:           http://www.fluidsynth.org/
 Source0:       https://github.com/Fluidsynth/fluidsynth/archive/v%{version}/fluidsynth-%{version}.tar.gz
 
 Patch0000:     fluidsynth-no_date_footer.patch
+Patch0001:     CVE-2021-21417-pre.patch
+Patch0002:     CVE-2021-21417-1.patch
+Patch0003:     CVE-2021-21417-2.patch
 
 BuildRequires: alsa-lib-devel cmake dbus-devel gcc jack-audio-connection-kit-devel readline-devel
 BuildRequires: ladspa-devel ncurses-devel libsndfile-devel pkgconfig pulseaudio-libs-devel doxygen
@@ -63,5 +66,8 @@ make doxygen -C %{_target_platform}/doc
 %doc NEWS README.md THANKS TODO doc/FluidSynth-LADSPA.pdf
 
 %changelog
+* Thu May 13 2021 wangxiao <wangxiao65@huawei.com> - 1.1.11-4
+- Fix CVE-2021-21417
+
 * Fri Nov 22 2019 sunguoshuai <sunguoshuai@huawei.com> - 1.1.11-3
 - Package init.