audiofile: apply CVE patches

Closes #12478.

Signed-off-by: ilovezfs <ilovezfs@icloud.com>

Formula/audiofile.rb

@@ -1,8 +1,21 @@
 class Audiofile < Formula
   desc "Reads and writes many common audio file formats"
   homepage "https://audiofile.68k.org/"
-  url "https://audiofile.68k.org/audiofile-0.3.6.tar.gz"
-  sha256 "cdc60df19ab08bfe55344395739bb08f50fc15c92da3962fac334d3bff116965"
+  revision 1
+
+  stable do
+    url "https://audiofile.68k.org/audiofile-0.3.6.tar.gz"
+    sha256 "cdc60df19ab08bfe55344395739bb08f50fc15c92da3962fac334d3bff116965"
+
+    # Fixes CVE-2015-7747. Fixed upstream but doesn't apply cleanly.
+    # https://github.com/mpruett/audiofile/commit/b62c902dd258125cac86cd2df21fc898035a43d3
+    patch do
+      url "https://mirrors.ocf.berkeley.edu/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz"
+      mirror "https://mirrorservice.org/sites/ftp.debian.org/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz"
+      sha256 "0620675a52bdb40b775980cc1820e308df329348bb847f9a4a8361b3799fa241"
+      apply "patches/03_CVE-2015-7747.patch"
+    end
+  end
 
   bottle do
     cellar :any
@@ -28,6 +41,33 @@ class Audiofile < Formula
 
   depends_on "lcov" => :optional
 
+  # These have all been reported upstream but beside
+  # 03_CVE-2015-7747 not yet merged or fixed.
+  # https://github.com/mpruett/audiofile/issues/31
+  # https://github.com/mpruett/audiofile/issues/32
+  # https://github.com/mpruett/audiofile/issues/33
+  # https://github.com/mpruett/audiofile/issues/34
+  # https://github.com/mpruett/audiofile/issues/35
+  # https://github.com/mpruett/audiofile/issues/36
+  # https://github.com/mpruett/audiofile/issues/37
+  # https://github.com/mpruett/audiofile/issues/38
+  # https://github.com/mpruett/audiofile/issues/39
+  # https://github.com/mpruett/audiofile/issues/40
+  # https://github.com/mpruett/audiofile/issues/41
+  # https://github.com/mpruett/audiofile/pull/42
+  patch do
+    url "https://mirrors.ocf.berkeley.edu/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz"
+    mirror "https://mirrorservice.org/sites/ftp.debian.org/debian/pool/main/a/audiofile/audiofile_0.3.6-4.debian.tar.xz"
+    sha256 "0620675a52bdb40b775980cc1820e308df329348bb847f9a4a8361b3799fa241"
+    apply "patches/04_clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch",
+          "patches/05_Always-check-the-number-of-coefficients.patch",
+          "patches/06_Check-for-multiplication-overflow-in-MSADPCM-decodeSam.patch",
+          "patches/07_Check-for-multiplication-overflow-in-sfconvert.patch",
+          "patches/08_Fix-signature-of-multiplyCheckOverflow.-It-returns-a-b.patch",
+          "patches/09_Actually-fail-when-error-occurs-in-parseFormat.patch",
+          "patches/10_Check-for-division-by-zero-in-BlockCodec-runPull.patch"
+  end
+
   def install
     if build.head?
       inreplace "autogen.sh", "libtool", "glibtool"
@@ -46,24 +86,8 @@ class Audiofile < Formula
   test do
     inn  = "/System/Library/Sounds/Glass.aiff"
     out  = "Glass.wav"
-    conv_bin = "#{bin}/sfconvert"
-    info_bin = "#{bin}/sfinfo"
 
-    unless File.exist?(conv_bin) && File.exist?(inn) && File.exist?(info_bin)
-      opoo <<-EOS.undent
-        One of the following files could not be located, and so
-        the test was not executed:
-           #{inn}
-           #{conv_bin}
-           #{info_bin}
-
-        Audiofile can also be tested at build-time:
-          brew install -v audiofile --with-check
-      EOS
-      return
-    end
-
-    system conv_bin, inn, out, "format", "wave"
-    system info_bin, "--short", "--reporterror", out
+    system bin/"sfconvert", inn, out, "format", "wave"
+    system bin/"sfinfo", "--short", "--reporterror", out
   end
 end