Fix CVE-2018-7253:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7253

Copied from upstream:
https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec

diff --git a/cli/dsdiff.c b/cli/dsdiff.c
index 410dc1c..c016df9 100644
--- a/cli/dsdiff.c
+++ b/cli/dsdiff.c
@@ -153,7 +153,17 @@ int ParseDsdiffHeaderConfig (FILE *infile, char *infilename, char *fourcc, Wavpa
                 error_line ("dsdiff file version = 0x%08x", version);
         }
         else if (!strncmp (dff_chunk_header.ckID, "PROP", 4)) {
-            char *prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
+            char *prop_chunk;
+
+            if (dff_chunk_header.ckDataSize < 4 || dff_chunk_header.ckDataSize > 1024) {
+                error_line ("%s is not a valid .DFF file!", infilename);
+                return WAVPACK_SOFT_ERROR;
+            }
+
+            if (debug_logging_mode)
+                error_line ("got PROP chunk of %d bytes total", (int) dff_chunk_header.ckDataSize);
+
+            prop_chunk = malloc ((size_t) dff_chunk_header.ckDataSize);
 
             if (!DoReadFile (infile, prop_chunk, (uint32_t) dff_chunk_header.ckDataSize, &bcount) ||
                 bcount != dff_chunk_header.ckDataSize) {
ackages/polkit.scm?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'>tree</a><a href='/guix/commit/gnu/packages/polkit.scm?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'>commit</a><a href='/guix/diff/gnu/packages/polkit.scm?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/gnu/packages/polkit.scm'>
<input type='hidden' name='id' value='b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'>root</a>/<a href='/guix/log/gnu?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'>gnu</a>/<a href='/guix/log/gnu/packages?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'>packages</a>/<a href='/guix/log/gnu/packages/polkit.scm?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6'>polkit.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/polkit.scm?id=b71c0645dfbf78bf3f3a5ee85f24d30ad0c65da6&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2019-01-15 14:46:44 +0100'>2019-01-15</span></td><td><a href='/guix/commit/gnu/packages/polkit.scm?id=44d10b1f722856ab8e9b942804aa7ef33e2ef739'>gnu: Separate Python core packages from the rest.</a><span class='msg-avail'>...</span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2018-12-09 00:21:09 -0500'>2018-12-09</span></td><td><a href='/guix/commit/gnu/packages/polkit.scm?id=5d3f673db4f866564b4226046a266de36dc21dbd'>gnu: polkit: Fix CVE-2018-19788.</a><span class='msg-avail'>...</span></td><td>Leo Famulari</td></tr>
<tr><td><span title='2018-08-09 21:19:47 +0200'>2018-08-09</span></td><td><a href='/guix/commit/gnu/packages/polkit.scm?id=bcdee2dc336439de5bc90b2712d83ecc865c45d7'>gnu: polkit: Update to 0.115 [fixes CVE-2018-1116].</a><span class='msg-avail'>...</span></td><td>Ricardo Wurmus</td></tr>
<tr><td><span title='2018-02-27 09:22:24 +0100'>2018-02-27</span></td><td><a href='/guix/commit/gnu/packages/polkit.scm?id=87b6305e72a0d96260716719b041bd7ae84ca230'>gnu: polkit: Fix 'invoke' call.</a><span class='msg-avail'>...</span></td><td>Ludovic Courtès</td></tr>
<tr><td><span title='2018-02-26 20:13:10 +0100'>2018-02-26</span></td><td><a href='/guix/commit/gnu/packages/polkit.scm?id=57e7d7486ba17d7b5407ebc429ce8553460371ea'>gnu: Use HTTPS for supported freedesktop.org home pages.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2018-02-26 20:13:09 +0100'>2018-02-26</span></td><td><a href='/guix/commit/gnu/packages/polkit.scm?id=3c4bbb4c52418c8daf8b0e4605e3912685c9f44a'>gnu: polkit: Update phase &amp; snippet style.</a><span class='msg-avail'>...</span></td><td>Tobias Geerinckx-Rice</td></tr>

Age	Commit message (Expand)	Author
2019-01-15	gnu: Separate Python core packages from the rest....	Ricardo Wurmus
2018-12-09	gnu: polkit: Fix CVE-2018-19788....	Leo Famulari
2018-08-09	gnu: polkit: Update to 0.115 [fixes CVE-2018-1116]....	Ricardo Wurmus
2018-02-27	gnu: polkit: Fix 'invoke' call....	Ludovic Courtès
2018-02-26	gnu: Use HTTPS for supported freedesktop.org home pages....	Tobias Geerinckx-Rice
2018-02-26	gnu: polkit: Update phase & snippet style....	Tobias Geerinckx-Rice