gentoo resync : 25.08.2020

8 files changed, 275 insertions, 229 deletions

diff --git a/media-sound/milkytracker/Manifest b/media-sound/milkytracker/Manifest
index 74a9706a5e24..008a813a8500 100644
--- a/media-sound/milkytracker/Manifest
+++ b/media-sound/milkytracker/Manifest
@@ -1,5 +1,8 @@
-AUX milkytracker-1.0.0-cmake.patch 6172 BLAKE2B d0ee8dd866ff5d9b7c7558f5ca5d7b2f75a4b3e37abba2b7798816a8131ea24e250fccdd405bb48f1effb363d437115f89d7b44aae87fdbe21234b1ad08c544c SHA512 395d93dab58a9a5a7c000382ea946b1e28eecf55d3867a7acf07cef7ee2bbb7ea90ff5946125c5bf16c2ecd658f7711859e02b7058c19dbaaea39c9b3ee8c881
-AUX milkytracker-1.0.0-docdir.patch 2319 BLAKE2B 256f8f2eba611e2a6f19df117e2b4ccf6057f4de380a2098f48b0cbf4a136f7b5d45eb203990b8de36407765b6f4a9547f1801d50dec7400a55917bf286a9193 SHA512 f5e44258717a9b84956c29506c27e97e72cd50092ac179c328f3773f07f0573ac77aa50e4a27cea62f23b4f6318e1132fac2a0a039e3cf604efd1d595b357173
-DIST milkytracker-1.0.0.tar.gz 3749140 BLAKE2B 5bf1e374c8d51e7f65a222c46b4cb3e26dd88ba5be304af540d3af4f5123179a2496d0b5eb87021d2dc0f12e7fab3f55e9ad06573aa5fb3a8842d9b743e6c948 SHA512 a96e8b015a4e3b38f3ad44756fc79cb062f91ab193b7428a6abde042aa4e51c8fb45757cba0504283410d714eefffdee57d3e3bf42e7991d1f9581ab8d2ab1c4
-EBUILD milkytracker-1.0.0.ebuild 1040 BLAKE2B 6905982d6a4af69065592125f6e7fbd38b1a03068af4b9ac7f51719b3e3aa4c3b3e411846d56dbb5ad83841c42f30468df3b891e1d066bd4752ce583184c6f8b SHA512 49024655173f65bc0c88172478848e7f742a5310bc348eea46bf27ca17660177ed489948f1fb9709c4f7352cc913b1554ec2bd8520058ff73cb7ce50b138f2f4
+AUX milkytracker-1.02.00-CVE-2019-14464.patch 926 BLAKE2B 632af971c55cd80d1a8aa2b8d2dd2fdc5c471feaa0bbe8fff0b980de8a1db2f2281a816381a08a064f105146839fa63194e770190ca77ec79a14d9c2ff1839b0 SHA512 c37d11fd83831199075205ae9631bb6a2ac05458c63155a8a65a093fa8ce851ce7b9d8efb35d7db785760dc126c225aa292c4b11f3de5d2f87d7fa9c0bda6c76
+AUX milkytracker-1.02.00-CVE-2019-1449x.patch 3121 BLAKE2B 8b863ed8a9c78942c303e06ed8f8089d4602a9b8765a38ae9974f3871441f9b10cde4cc8a297a45cd66da567c94234c4ca9f7eed1505ba2ced92fb2407cf5fed SHA512 4805e831e6ae3934fdab2045e76eb1bfd750e3efb4df58b374ac69d7bdc6d5f88241b4a8d87a6b681cfdf11c1b0316f7c6691d505b6cfd28dd6324dc0de7bff8
+AUX milkytracker-1.02.00-CVE-2020-15569.patch 972 BLAKE2B 34dfbe0690fefce4cbcfeabe571d811092bba6c72e2bfe8db5e087d21774563bd79108e88c66b490999553587ab755fce16d53f4822e23149b86c5585aa46c00 SHA512 358b5e1709a634f2e51c6bda53684c903f57e328d73a364c5b7feac4c278288838cfde3f1afc087b2f52259f1cbcacda022dc92f3a621c7d772a9be8d248c220
+AUX milkytracker-1.02.00-fix-hard-dependency-on-rtmidi.patch 2570 BLAKE2B fe0a454e34c9b7b88125ccdfb6f77e1cc014013a8f054f00c6330e733ba54154bc1d96ef256cf5befc8329c169e57f29062652f0ff84dc55201572d0201111fc SHA512 0112a805d61204ff31ad0b1b31cbc9ff60f91f5ada275a839f0c258c3f5302239fd9b00ba7d8387b5865ad2ea86abedc32630ff2f1b58c0a74bfa67895a5676a
+DIST milkytracker-1.02.00-cmake.patch 40073 BLAKE2B cef8fc7efff9324c1d628026d650c79e11950b53481686e5dd35ace483839fbdd6b2b1f8ccce2f688beec2c7c28b0fe3b60d0e8d540d6cd163927f4bacf9d396 SHA512 bd4ca0d092229722ca81addaf9eec3ff1b176061da7b44fe3f02fbe020c3820778ed973dde95588b4c9f918728e2c69c24ac23083a2f48c0cbad2e854eeff5ba
+DIST milkytracker-1.02.00.tar.gz 3753882 BLAKE2B e9bb4341e016d2a9c518835e8b4620f748da60bca7205302e7500f14f3294e7fa9a20fef203226fffbe22a11a3b4978ea928f0f544eb70e99b5998ecc7c45611 SHA512 479a7b3198d97c68dca4fa772a2aa64d7f740957f5d8038fabfb303e724c85aec0865746a0a5c3ef6b9599b78892dcda22727ab2bb80ae38764bcf81b249e134
+EBUILD milkytracker-1.02.00-r1.ebuild 1497 BLAKE2B 76e41340629253f19ba1253f3a662ced5af0ad03c0eec158a48120d7b557b96bca64a19dbac13e8a44f8f0b8e5135c20c7134f9168e67ed01bc639512867b113 SHA512 d8da48058c5fb7eb1ef9f95ccb7855fdadf50ed5415af38175d0fe08689c101e110a57685cbcbd814530bf75d05773adebd3195d192163e496aca4b1d9dd148e
 MISC metadata.xml 249 BLAKE2B f7f8f071ecba933f3d39b0b60983281d59299b92de9375a60ab4109d7202800cb790bce0c426227f04b3e2624b1adb20876145741355abc6a4938b8b9698d144 SHA512 9a100fb26586365eda99724330a03a512f4d0be18d39c3a195ba02c2fc841edeee99d22512acf5a058a3b978d3a74f4d963a5aff9aa343b6cb4086cdfefe6343
diff --git a/media-sound/milkytracker/files/milkytracker-1.0.0-cmake.patch b/media-sound/milkytracker/files/milkytracker-1.0.0-cmake.patch
deleted file mode 100644
index 391ec55c7d8d..000000000000
--- a/media-sound/milkytracker/files/milkytracker-1.0.0-cmake.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From 87d0f55cd8868d91472f96cccafaf6fdb9e0cbbc Mon Sep 17 00:00:00 2001
-From: Dale Whinham <daleyo@gmail.com>
-Date: Thu, 31 Oct 2019 21:21:28 +0000
-Subject: [PATCH] CMake: Use SDL2's official CMake package mechanism
-
-We shouldn't need to rely on a FindSDL2.cmake, as SDL2 comes with a
-CMake package definition that should be installed by the distro into a
-location where CMake can find it.
-
-Fixes #168.
----
- CMakeLists.txt       |   4 +-
- cmake/FindSDL2.cmake | 104 -------------------------------------------
- 2 files changed, 1 insertion(+), 107 deletions(-)
- delete mode 100644 cmake/FindSDL2.cmake
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 27ad4a18..5b6ed9f1 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -31,8 +31,6 @@ if(FORCESDL)
-     unset(APPLE)
-     unset(WIN32)
-     add_definitions(-D__FORCE_SDL_AUDIO__)
--    # Frameworks not supported by findSDL2.cmake
--    set(CMAKE_FIND_FRAMEWORK NEVER)
- endif()
- 
- # Lowercase project name for binaries and packaging
-@@ -166,7 +164,7 @@ else()
-     # https://bugzilla.libsdl.org/show_bug.cgi?id=3295
-     cmake_policy(SET CMP0004 OLD)
- 
--    find_package(SDL2 2 REQUIRED)
-+    find_package(SDL2 REQUIRED)
- endif()
- 
- # Prefer static linkage under OS X for libraries located with find_package()
-diff --git a/cmake/FindSDL2.cmake b/cmake/FindSDL2.cmake
-deleted file mode 100644
-index 27c78f05..00000000
---- a/cmake/FindSDL2.cmake
-+++ /dev/null
-@@ -1,104 +0,0 @@
--# - Find SDL2 library and headers
--# 
--# Find module for SDL 2.0 (http://www.libsdl.org/).
--# It defines the following variables:
--#  SDL2_INCLUDE_DIRS - The location of the headers, e.g., SDL.h.
--#  SDL2_LIBRARIES - The libraries to link against to use SDL2.
--#  SDL2_FOUND - If false, do not try to use SDL2.
--#  SDL2_VERSION_STRING - Human-readable string containing the version of SDL2.
--#
--# This module responds to the the flag:
--#  SDL2_BUILDING_LIBRARY
--#    If this is defined, then no SDL2_main will be linked in because
--#    only applications need main().
--#    Otherwise, it is assumed you are building an application and this
--#    module will attempt to locate and set the the proper link flags
--#    as part of the returned SDL2_LIBRARIES variable.
--#
--# Also defined, but not for general use are:
--#   SDL2_INCLUDE_DIR - The directory that contains SDL.h.
--#   SDL2_LIBRARY - The location of the SDL2 library.
--#   SDL2MAIN_LIBRARY - The location of the SDL2main library.
--#
--
--#=============================================================================
--# Copyright 2013 Benjamin Eikel
--#
--# Redistribution and use in source and binary forms, with or without
--# modification, are permitted provided that the following conditions are met:
--#     * Redistributions of source code must retain the above copyright
--#       notice, this list of conditions and the following disclaimer.
--#     * Redistributions in binary form must reproduce the above copyright
--#       notice, this list of conditions and the following disclaimer in the
--#       documentation and/or other materials provided with the distribution.
--#     * Neither the name of the <organization> nor the
--#       names of its contributors may be used to endorse or promote products
--#       derived from this software without specific prior written permission.
--#
--# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
--# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
--# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
--# ARE DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
--# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
--# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
--# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
--# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
--# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
--# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--#=============================================================================
--
--find_package(PkgConfig QUIET)
--pkg_check_modules(PC_SDL2 QUIET sdl2)
--
--find_path(SDL2_INCLUDE_DIR
--  NAMES SDL.h
--  HINTS
--    ${PC_SDL2_INCLUDEDIR}
--    ${PC_SDL2_INCLUDE_DIRS}
--  PATH_SUFFIXES SDL2
--)
--
--find_library(SDL2_LIBRARY
--  NAMES SDL2
--  HINTS
--    ${PC_SDL2_LIBDIR}
--    ${PC_SDL2_LIBRARY_DIRS}
--  PATH_SUFFIXES x64 x86
--)
--
--if(NOT SDL2_BUILDING_LIBRARY)
--  find_library(SDL2MAIN_LIBRARY
--    NAMES SDL2main
--    HINTS
--      ${PC_SDL2_LIBDIR}
--      ${PC_SDL2_LIBRARY_DIRS}
--    PATH_SUFFIXES x64 x86
--  )
--endif()
--
--if(SDL2_INCLUDE_DIR AND EXISTS "${SDL2_INCLUDE_DIR}/SDL_version.h")
--  file(STRINGS "${SDL2_INCLUDE_DIR}/SDL_version.h" SDL2_VERSION_MAJOR_LINE REGEX "^#define[ \t]+SDL_MAJOR_VERSION[ \t]+[0-9]+$")
--  file(STRINGS "${SDL2_INCLUDE_DIR}/SDL_version.h" SDL2_VERSION_MINOR_LINE REGEX "^#define[ \t]+SDL_MINOR_VERSION[ \t]+[0-9]+$")
--  file(STRINGS "${SDL2_INCLUDE_DIR}/SDL_version.h" SDL2_VERSION_PATCH_LINE REGEX "^#define[ \t]+SDL_PATCHLEVEL[ \t]+[0-9]+$")
--  string(REGEX REPLACE "^#define[ \t]+SDL_MAJOR_VERSION[ \t]+([0-9]+)$" "\\1" SDL2_VERSION_MAJOR "${SDL2_VERSION_MAJOR_LINE}")
--  string(REGEX REPLACE "^#define[ \t]+SDL_MINOR_VERSION[ \t]+([0-9]+)$" "\\1" SDL2_VERSION_MINOR "${SDL2_VERSION_MINOR_LINE}")
--  string(REGEX REPLACE "^#define[ \t]+SDL_PATCHLEVEL[ \t]+([0-9]+)$" "\\1" SDL2_VERSION_PATCH "${SDL2_VERSION_PATCH_LINE}")
--  set(SDL2_VERSION_STRING ${SDL2_VERSION_MAJOR}.${SDL2_VERSION_MINOR}.${SDL2_VERSION_PATCH})
--  unset(SDL2_VERSION_MAJOR_LINE)
--  unset(SDL2_VERSION_MINOR_LINE)
--  unset(SDL2_VERSION_PATCH_LINE)
--  unset(SDL2_VERSION_MAJOR)
--  unset(SDL2_VERSION_MINOR)
--  unset(SDL2_VERSION_PATCH)
--endif()
--
--set(SDL2_INCLUDE_DIRS ${SDL2_INCLUDE_DIR})
--set(SDL2_LIBRARIES ${SDL2MAIN_LIBRARY} ${SDL2_LIBRARY})
--
--include(FindPackageHandleStandardArgs)
--
--find_package_handle_standard_args(SDL2
--                                  REQUIRED_VARS SDL2_INCLUDE_DIR SDL2_LIBRARY
--                                  VERSION_VAR SDL2_VERSION_STRING)
--
--mark_as_advanced(SDL2_INCLUDE_DIR SDL2_LIBRARY)
diff --git a/media-sound/milkytracker/files/milkytracker-1.0.0-docdir.patch b/media-sound/milkytracker/files/milkytracker-1.0.0-docdir.patch
deleted file mode 100644
index aeae02af2b0b..000000000000
--- a/media-sound/milkytracker/files/milkytracker-1.0.0-docdir.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 56bf091a0e8c5242e160d37f2974f3e1e2525821 Mon Sep 17 00:00:00 2001
-From: David Seifert <soap@gentoo.org>
-Date: Sun, 7 May 2017 10:49:21 +0200
-Subject: [PATCH] Use GNUInstallDirs in order to change installation paths
-
-* This allows distro-specific modification of directories
-  to adjust to different FHS layouts.
----
- CMakeLists.txt                 | 5 ++++-
- docs/CMakeLists.txt            | 2 +-
- resources/music/CMakeLists.txt | 2 +-
- src/tracker/CMakeLists.txt     | 2 +-
- 4 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 996e2f0..bac54f3 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -19,9 +19,12 @@
- #  along with MilkyTracker.  If not, see <http://www.gnu.org/licenses/>.
- #
- 
--cmake_minimum_required(VERSION 2.6)
-+cmake_minimum_required(VERSION 2.8.5)
- project(MilkyTracker)
- 
-+# Adhere to GNU filesystem layout conventions
-+include(GNUInstallDirs)
-+
- # Force SDL if requested
- option(FORCESDL "Force SDL instead of native" OFF)
- if(FORCESDL)
-diff --git a/docs/CMakeLists.txt b/docs/CMakeLists.txt
-index 0aacc60..aca4a61 100644
---- a/docs/CMakeLists.txt
-+++ b/docs/CMakeLists.txt
-@@ -35,7 +35,7 @@ elseif(WIN32)
-     set(INSTALL_DEST .)
- else()
-     list(APPEND DOCUMENTS readme_unix)
--    set(INSTALL_DEST share/doc/${PROJECT_NAME_LOWER})
-+    set(INSTALL_DEST ${CMAKE_INSTALL_DOCDIR})
- endif()
- 
- install(FILES ${DOCUMENTS} DESTINATION ${INSTALL_DEST})
-diff --git a/resources/music/CMakeLists.txt b/resources/music/CMakeLists.txt
-index f918b6e..f29fcd6 100644
---- a/resources/music/CMakeLists.txt
-+++ b/resources/music/CMakeLists.txt
-@@ -24,7 +24,7 @@ file(GLOB SONGS "*.xm")
- if(APPLE OR WIN32)
-     set(INSTALL_DEST "Example Songs")
- else()
--    set(INSTALL_DEST share/${PROJECT_NAME_LOWER}/songs)
-+    set(INSTALL_DEST ${CMAKE_INSTALL_DATADIR}/${PROJECT_NAME_LOWER}/songs)
- endif()
- 
- install(FILES ${SONGS} DESTINATION ${INSTALL_DEST})
-diff --git a/src/tracker/CMakeLists.txt b/src/tracker/CMakeLists.txt
-index 1e4062e..b7a96a7 100644
---- a/src/tracker/CMakeLists.txt
-+++ b/src/tracker/CMakeLists.txt
-@@ -399,7 +399,7 @@ target_link_libraries(
- if(APPLE OR WIN32)
-     set(INSTALL_DEST .)
- else()
--    set(INSTALL_DEST bin)
-+    set(INSTALL_DEST ${CMAKE_INSTALL_BINDIR})
- endif()
- 
- install(TARGETS ${TARGET_NAME} DESTINATION ${INSTALL_DEST})
diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch
new file mode 100644
index 000000000000..d59522d6d1d0
--- /dev/null
+++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-14464.patch
@@ -0,0 +1,26 @@
+This patch is from upstream:
+https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
+
+commit fd607a3439fcdd0992e5efded3c16fc79c804e34
+Author: Christopher O'Neill <code@chrisoneill.co.uk>
+Date:   Tue Jul 30 19:11:58 2019 +0100
+
+    Fix #184: Heap overflow in S3M loader
+
+diff --git a/src/milkyplay/LoaderS3M.cpp b/src/milkyplay/LoaderS3M.cpp
+index 5abf211..edf0fd5 100644
+--- a/src/milkyplay/LoaderS3M.cpp
++++ b/src/milkyplay/LoaderS3M.cpp
+@@ -340,7 +340,11 @@ mp_sint32 LoaderS3M::load(XMFileBase& f, XModule* module)
+ 		return MP_OUT_OF_MEMORY;
+ 	
+ 	header->insnum = f.readWord(); // number of instruments
+-	header->patnum = f.readWord(); // number of patterns	
++	if (header->insnum > MP_MAXINS)
++		return MP_LOADER_FAILED;
++	header->patnum = f.readWord(); // number of patterns
++	if (header->patnum > 256)
++		return MP_LOADER_FAILED;
+ 	
+ 	mp_sint32 flags = f.readWord(); // st3 flags	
+ 
diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch
new file mode 100644
index 000000000000..0560cd2b825b
--- /dev/null
+++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2019-1449x.patch
@@ -0,0 +1,104 @@
+This patch is from upstream:
+https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
+
+commit ea7772a3fae0a9dd0a322e8fec441d15843703b7
+Author: Christopher O'Neill <code@chrisoneill.co.uk>
+Date:   Tue Jul 30 18:40:03 2019 +0100
+
+    Fixes for buffer overflow issues #182 & #183
+
+diff --git a/src/milkyplay/LoaderXM.cpp b/src/milkyplay/LoaderXM.cpp
+index 108d915..f87f5c1 100644
+--- a/src/milkyplay/LoaderXM.cpp
++++ b/src/milkyplay/LoaderXM.cpp
+@@ -63,8 +63,8 @@ const char* LoaderXM::identifyModule(const mp_ubyte* buffer)
+ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ {
+ 	mp_ubyte insData[230];		
+-	mp_sint32 smpReloc[96];
+-	mp_ubyte nbu[96];
++	mp_sint32 smpReloc[MP_MAXINSSAMPS];
++	mp_ubyte nbu[MP_MAXINSSAMPS];
+ 	mp_uint32 fileSize = 0;
+ 			
+ 	module->cleanUp();
+@@ -117,6 +117,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 	memcpy(header->ord, hdrBuff+16, 256);
+ 	if(header->ordnum > MP_MAXORDERS)
+ 		header->ordnum = MP_MAXORDERS;
++	if(header->insnum > MP_MAXINS)
++		return MP_LOADER_FAILED;
+ 
+ 	delete[] hdrBuff;
+ 	
+@@ -143,7 +145,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 			f.read(&instr[y].type,1,1);
+ 			mp_uword numSamples = 0;
+ 			f.readWords(&numSamples,1);
+-			if(numSamples > 96)
++			if(numSamples > MP_MAXINSSAMPS)
+ 				return MP_LOADER_FAILED;
+ 			instr[y].samp = numSamples;
+ 
+@@ -169,8 +171,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 			if (instr[y].samp) {
+ 				mp_ubyte* insDataPtr = insData;
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -285,7 +287,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+@@ -491,6 +493,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 				f.read(&instr[y].type,1,1);
+ 				f.readWords(&instr[y].samp,1);
+ 			}
++			if (instr[y].samp > MP_MAXINSSAMPS)
++				return MP_LOADER_FAILED;
+ 
+ 			//printf("%i, %i\n", instr[y].size, instr[y].samp);
+ 
+@@ -532,8 +536,8 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 				
+ 				//f.read(&nbu,1,96);
+ 				
+-				memcpy(nbu, insDataPtr, 96);
+-				insDataPtr+=96;
++				memcpy(nbu, insDataPtr, MP_MAXINSSAMPS);
++				insDataPtr+=MP_MAXINSSAMPS;
+ 				
+ 				TEnvelope venv;
+ 				TEnvelope penv;
+@@ -650,7 +654,7 @@ mp_sint32 LoaderXM::load(XMFileBase& f, XModule* module)
+ 
+ 				instr[y].samp = g;
+ 
+-				for (sc = 0; sc < 96; sc++) {					
++				for (sc = 0; sc < MP_MAXINSSAMPS; sc++) {					
+ 					if (smpReloc[nbu[sc]] == -1)
+ 						instr[y].snum[sc] = -1;
+ 					else
+diff --git a/src/milkyplay/XModule.h b/src/milkyplay/XModule.h
+index f42d04b..4f04a2d 100644
+--- a/src/milkyplay/XModule.h
++++ b/src/milkyplay/XModule.h
+@@ -40,6 +40,8 @@
+ 
+ #define MP_MAXTEXT 32
+ #define MP_MAXORDERS 256
++#define MP_MAXINS 255
++#define MP_MAXINSSAMPS 96
+ 
+ struct TXMHeader 
+ {
diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch
new file mode 100644
index 000000000000..59c2f9942ae6
--- /dev/null
+++ b/media-sound/milkytracker/files/milkytracker-1.02.00-CVE-2020-15569.patch
@@ -0,0 +1,35 @@
+Fix is from upstream:
+https://github.com/milkytracker/MilkyTracker/commit/7afd55c42ad80d01a339197a2d8b5461d214edaf
+
+Gentoo Bug: https://bugs.gentoo.org/711280
+
+commit 7afd55c42ad80d01a339197a2d8b5461d214edaf
+Author: Jeremy Clarke <geckojsc@gmail.com>
+Date:   Mon Apr 13 23:53:51 2020 +0100
+
+    Fix use-after-free in PlayerGeneric destructor
+
+diff --git a/src/milkyplay/PlayerGeneric.cpp b/src/milkyplay/PlayerGeneric.cpp
+index 8df2c13..59f7cba 100644
+--- a/src/milkyplay/PlayerGeneric.cpp
++++ b/src/milkyplay/PlayerGeneric.cpp
+@@ -202,15 +202,16 @@ PlayerGeneric::PlayerGeneric(mp_sint32 frequency, AudioDriverInterface* audioDri
+ 	
+ PlayerGeneric::~PlayerGeneric()
+ {
+-	if (mixer)
+-		delete mixer;
+ 
+ 	if (player)
+ 	{
+-		if (mixer->isActive() && !mixer->isDeviceRemoved(player))
++		if (mixer && mixer->isActive() && !mixer->isDeviceRemoved(player))
+ 			mixer->removeDevice(player);
+ 		delete player;
+ 	}
++	
++	if (mixer)
++		delete mixer;
+ 
+ 	delete[] audioDriverName;
+ 	
diff --git a/media-sound/milkytracker/files/milkytracker-1.02.00-fix-hard-dependency-on-rtmidi.patch b/media-sound/milkytracker/files/milkytracker-1.02.00-fix-hard-dependency-on-rtmidi.patch
new file mode 100644
index 000000000000..090e433b5fdc
--- /dev/null
+++ b/media-sound/milkytracker/files/milkytracker-1.02.00-fix-hard-dependency-on-rtmidi.patch
@@ -0,0 +1,85 @@
+From f85f5336df72dc44e407ae756ed20a8f8422cb76 Mon Sep 17 00:00:00 2001
+From: Dale Whinham <daleyo@gmail.com>
+Date: Sat, 11 Apr 2020 16:51:31 +0100
+Subject: [PATCH] Fix hard dependency on RtMidi
+
+It is perfectly reasonable for libasound to be installed, but not
+librtmidi, and so we should only enable the MIDI code if both are
+present.
+
+Fixes #207.
+---
+ src/tracker/CMakeLists.txt   |  1 +
+ src/tracker/sdl/SDL_Main.cpp | 12 ++++++------
+ 2 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/tracker/CMakeLists.txt b/src/tracker/CMakeLists.txt
+index 0a935330..f4243a0f 100644
+--- a/src/tracker/CMakeLists.txt
++++ b/src/tracker/CMakeLists.txt
+@@ -348,6 +348,7 @@ elseif(WIN32)
+     target_link_libraries(tracker midi)
+ else()
+     if(ALSA_FOUND AND RTMIDI_FOUND)
++        target_compile_definitions(tracker PRIVATE -DHAVE_LIBRTMIDI)
+         target_link_libraries(tracker midi)
+     endif()
+ endif()
+diff --git a/src/tracker/sdl/SDL_Main.cpp b/src/tracker/sdl/SDL_Main.cpp
+index 1a49fc12..75ffa1df 100644
+--- a/src/tracker/sdl/SDL_Main.cpp
++++ b/src/tracker/sdl/SDL_Main.cpp
+@@ -78,7 +78,7 @@
+ #include "PPSystem_POSIX.h"
+ #include "PPPath_POSIX.h"
+ 
+-#ifdef HAVE_LIBASOUND
++#ifdef HAVE_LIBRTMIDI
+ #include "../midi/posix/MidiReceiver_pthread.h"
+ #endif
+ // --------------------------------------------------------------------------
+@@ -89,7 +89,7 @@ static SDL_TimerID			timer;
+ static PPScreen*			myTrackerScreen		= NULL;
+ static Tracker*				myTracker			= NULL;
+ static PPDisplayDevice*		myDisplayDevice		= NULL;
+-#ifdef HAVE_LIBASOUND
++#ifdef HAVE_LIBRTMIDI
+ static MidiReceiver*		myMidiReceiver		= NULL;
+ #endif
+ 
+@@ -223,7 +223,7 @@ static Uint32 SDLCALL timerCallback(Uint32 interval, void* param)
+ 	return interval;
+ }
+ 
+-#ifdef HAVE_LIBASOUND
++#ifdef HAVE_LIBRTMIDI
+ class MidiEventHandler : public MidiReceiver::MidiEventHandler
+ {
+ public:
+@@ -829,7 +829,7 @@ myDisplayDevice = new PPDisplayDeviceFB(windowSize.width, windowSize.height, sca
+ 	// Startup procedure
+ 	myTracker->startUp(noSplash);
+ 
+-#ifdef HAVE_LIBASOUND
++#ifdef HAVE_LIBRTMIDI
+ 	InitMidi();
+ #endif
+ 
+@@ -962,7 +962,7 @@ int main(int argc, char *argv[])
+ 	initTracker(defaultBPP, orientation, swapRedBlue, noSplash);
+ 	globalMutex->unlock();
+ 
+-#ifdef HAVE_LIBASOUND
++#ifdef HAVE_LIBRTMIDI
+ 	if (myMidiReceiver && recVelocity)
+ 	{
+ 		myMidiReceiver->setRecordVelocity(true);
+@@ -1036,7 +1036,7 @@ int main(int argc, char *argv[])
+ 	SDL_RemoveTimer(timer);
+ 
+ 	globalMutex->lock();
+-#ifdef HAVE_LIBASOUND
++#ifdef HAVE_LIBRTMIDI
+ 	delete myMidiReceiver;
+ #endif
+ 	delete myTracker;
diff --git a/media-sound/milkytracker/milkytracker-1.0.0.ebuild b/media-sound/milkytracker/milkytracker-1.02.00-r1.ebuild
index 3d5f9f04861d..b27c6c5260b4 100644
--- a/media-sound/milkytracker/milkytracker-1.0.0.ebuild
+++ b/media-sound/milkytracker/milkytracker-1.02.00-r1.ebuild
@@ -1,13 +1,18 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-inherit cmake desktop
+inherit cmake desktop xdg
+
+# This commit is needed so the milkytrace binary is linked properly, bug 711564
+# It is also ~40kb so it is better to fetch it rather than ship it in-tree
+COMMIT="2b145b074581ddf3b4ad78a402cdf5fab500b125"
 
 DESCRIPTION="FastTracker 2 inspired music tracker"
 HOMEPAGE="https://milkytracker.titandemo.org/"
-SRC_URI="https://github.com/milkytracker/MilkyTracker/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+SRC_URI="https://github.com/milkytracker/MilkyTracker/archive/v${PV}.tar.gz -> ${P}.tar.gz
+	https://github.com/milkytracker/MilkyTracker/commit/${COMMIT}.patch -> ${P}-cmake.patch"
 
 LICENSE="|| ( GPL-3 MPL-1.1 ) AIFFWriter.m BSD GPL-3 GPL-3+ LGPL-2.1+ MIT"
 SLOT="0"
@@ -19,16 +24,23 @@ RDEPEND="
 	media-libs/libsdl2[X]
 	sys-libs/zlib
 	alsa? ( media-libs/alsa-lib )
-	jack? ( media-sound/jack-audio-connection-kit )"
+	jack? ( virtual/jack )"
 DEPEND="${RDEPEND}"
 
 PATCHES=(
-	"${FILESDIR}"/${P}-docdir.patch
-	"${FILESDIR}"/${P}-cmake.patch
+	"${DISTDIR}/${P}-cmake.patch"
+	"${FILESDIR}/${P}-CVE-2019-14464.patch"
+	"${FILESDIR}/${P}-CVE-2019-1449x.patch"
+	"${FILESDIR}/${P}-CVE-2020-15569.patch"
+	"${FILESDIR}/${P}-fix-hard-dependency-on-rtmidi.patch"
 )
 
 S="${WORKDIR}/MilkyTracker-${PV}"
 
+src_prepare() {
+	cmake_src_prepare
+}
+
 src_configure() {
 	local mycmakeargs=(
 		$(cmake_use_find_package alsa ALSA)