--- a/ChangeLog	Sun Aug 08 20:00:22 2010 +0000
+++ b/ChangeLog	Mon Aug 09 08:06:30 2010 +0000
@@ -1,3 +1,7 @@
+2010-08-09 Milan Jurik <[email protected]>
+
+	* SFElibmikmod.spec: CVE-2010-2546, added missing patches
+
 2010-08-08 Milan Jurik <[email protected]>
 
 	* SFEunbound.spec: update to 1.4.6

--- a/SFElibmikmod.spec	Sun Aug 08 20:00:22 2010 +0000
+++ b/SFElibmikmod.spec	Mon Aug 09 08:06:30 2010 +0000
@@ -14,6 +14,7 @@
 Source:                  http://mikmod.raphnet.net/files/libmikmod-%{src_version}.tar.bz2
 Patch1:                  libmikmod-01-cve-2009-3995.diff
 Patch2:                  libmikmod-02-cve-2009-3996.diff 
+Patch3:                  libmikmod-03-cve-2010-2546.diff
 URL:                     http://mikmod.raphnet.net/
 License:                 LGPL
 SUNW_BaseDir:            %{_basedir}
@@ -36,6 +37,7 @@
 %setup -q -n libmikmod-%src_version
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 CPUS=`/usr/sbin/psrinfo | grep on-line | wc -l | tr -d ' '`
@@ -83,6 +85,8 @@
 %{_datadir}/aclocal/*
 
 %changelog
+* Mon Aug 09 2010 - Milan Jurik
+- CVE-2010-2546 patches based on Debian
 * Mon Jul 19 2010 - Milan Jurik
 - CVE-2009-3995 and CVE-2009-3996 patches added based on Debian
 * Sun May 09 2010 - Milan Jurik

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/libmikmod-01-cve-2009-3995.diff	Mon Aug 09 08:06:30 2010 +0000
@@ -0,0 +1,13 @@
+--- libmikmod-3.2.0-beta2/loaders/load_it.c	Fri Feb  6 20:29:03 2004
++++ libmikmod-3.2.0-beta2-patch/loaders/load_it.c	Mon Jul 19 14:48:34 2010
+@@ -862,6 +862,10 @@
+ #endif
+ 
+ 				IT_ProcessEnvelope(vol);
++				/* fix for CVE-2009-3995 */
++				if (ih.volpts>= ENVPOINTS)
++					ih.volpts = ENVPOINTS-1;
++
+ 				for(u=0;u<ih.volpts;u++)
+ 					d->volenv[u].val=(ih.volnode[u]<<2);
+ 

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/libmikmod-02-cve-2009-3996.diff	Mon Aug 09 08:06:30 2010 +0000
@@ -0,0 +1,13 @@
+--- libmikmod-3.2.0-beta2/loaders/load_ult.c	Wed Jan 21 02:36:35 2004
++++ libmikmod-3.2.0-beta2-patch/loaders/load_ult.c	Mon Jul 19 14:51:36 2010
+@@ -225,6 +225,10 @@
+ 		for(t=0;t<of.numpat;t++)
+ 			of.patterns[(t*of.numchn)+u]=tracks++;
+ 
++	/* fix for CVE-2009-3996 */
++	if (of.numchn>=UF_MAXCHAN)
++		of.numchn=UF_MAXCHAN - 1;
++
+ 	/* read pan position table for v1.5 and higher */
+ 	if(mh.id[14]>='3') {
+ 		for(t=0;t<of.numchn;t++) of.panning[t]=_mm_read_UBYTE(modreader)<<4;

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/libmikmod-03-cve-2010-2546.diff	Mon Aug 09 08:06:30 2010 +0000
@@ -0,0 +1,31 @@
+--- libmikmod-3.2.0-beta2/loaders/load_it.c.orig	2010-07-22 16:02:16.000000000 +0200
++++ libmikmod-3.2.0-beta2-patch/loaders/load_it.c	2010-07-22 16:07:48.000000000 +0200
+@@ -743,6 +743,8 @@ BOOL IT_Load(BOOL curious)
+ #define IT_LoadEnvelope(name,type) 										\
+ 				ih. name##flg   =_mm_read_UBYTE(modreader);				\
+ 				ih. name##pts   =_mm_read_UBYTE(modreader);				\
++				if (ih. name##pts > ITENVCNT)							\
++					ih. name##pts = ITENVCNT;							\
+ 				ih. name##beg   =_mm_read_UBYTE(modreader);				\
+ 				ih. name##end   =_mm_read_UBYTE(modreader);				\
+ 				ih. name##susbeg=_mm_read_UBYTE(modreader);				\
+@@ -756,6 +758,8 @@ BOOL IT_Load(BOOL curious)
+ #define IT_LoadEnvelope(name,type) 										\
+ 				ih. name/**/flg   =_mm_read_UBYTE(modreader);			\
+ 				ih. name/**/pts   =_mm_read_UBYTE(modreader);			\
++				if (ih. name/**/pts > ITENVCNT)							\
++					ih. name/**/pts = ITENVCNT;							\
+ 				ih. name/**/beg   =_mm_read_UBYTE(modreader);			\
+ 				ih. name/**/end   =_mm_read_UBYTE(modreader);			\
+ 				ih. name/**/susbeg=_mm_read_UBYTE(modreader);			\
+@@ -862,10 +866,6 @@ BOOL IT_Load(BOOL curious)
+ #endif
+ 
+ 				IT_ProcessEnvelope(vol);
+-				/* fix for CVE-2009-3995 */
+-				if (ih.volpts>= ENVPOINTS)
+-					ih.volpts = ENVPOINTS-1;
+-
+ 				for(u=0;u<ih.volpts;u++)
+ 					d->volenv[u].val=(ih.volnode[u]<<2);
+