From 57aa3ec33b052199cf13f1b056da9b516c6a7cf9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Tue, 11 Jun 2019 15:31:10 +0200
Subject: [PATCH] faad2: apply security patches from Debian

---
 pkgs/development/libraries/faad2/default.nix | 24 ++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/pkgs/development/libraries/faad2/default.nix b/pkgs/development/libraries/faad2/default.nix
index 50323846e98..e7e4835d2ed 100644
--- a/pkgs/development/libraries/faad2/default.nix
+++ b/pkgs/development/libraries/faad2/default.nix
@@ -12,6 +12,30 @@ stdenv.mkDerivation rec {
     sha256 = "1db37ydb6mxhshbayvirm5vz6j361bjim4nkpwjyhmy4ddfinmhl";
   };
 
+  patches = let
+    fp = { ver ? "2.8.8-3", pname, name ? (pname + ".patch"), sha256 }: fetchurl {
+      url = "https://salsa.debian.org/multimedia-team/faad2/raw/debian/${ver}"
+          + "/debian/patches/${pname}.patch?inline=false";
+      inherit name sha256;
+    };
+  in [
+    (fp {
+      # critical bug addressed in vlc 3.0.7 (but we use system-provided faad)
+      pname = "0004-Fix-a-couple-buffer-overflows";
+      sha256 = "1mwycdfagz6wpda9j3cp7lf93crgacpa8rwr58p3x0i5cirnnmwq";
+    })
+    (fp {
+      name = "CVE-2018-20362.patch";
+      pname = "0009-syntax.c-check-for-syntax-element-inconsistencies";
+      sha256 = "1z849l5qyvhyn5pvm6r07fa50nrn8nsqnrka2nnzgkhxlhvzpa81";
+    })
+    (fp {
+      name = "CVE-2018-20194.patch";
+      pname = "0010-sbr_hfadj-sanitize-frequency-band-borders";
+      sha256 = "1b1kbz4mv0zhpq8h3djnvqafh1gn12nikk9v3jrxyryywacirah4";
+    })
+  ];
+
   configureFlags = []
     ++ optional drmSupport "--with-drm";