{stdenv, fetchurl
, drmSupport ? false # Digital Radio Mondiale
}:

with stdenv.lib;
stdenv.mkDerivation rec {
  pname = "faad2";
  version = "2.8.8";

  src = fetchurl {
    url = "mirror://sourceforge/faac/${pname}-${version}.tar.gz";
    sha256 = "1db37ydb6mxhshbayvirm5vz6j361bjim4nkpwjyhmy4ddfinmhl";
  };

  patches = let
    fp = { ver ? "2.8.8-3", pname, name ? (pname + ".patch"), sha256 }: fetchurl {
      url = "https://salsa.debian.org/multimedia-team/faad2/raw/debian/${ver}"
          + "/debian/patches/${pname}.patch?inline=false";
      inherit name sha256;
    };
  in [
    (fp {
      # critical bug addressed in vlc 3.0.7 (but we use system-provided faad)
      pname = "0004-Fix-a-couple-buffer-overflows";
      sha256 = "1mwycdfagz6wpda9j3cp7lf93crgacpa8rwr58p3x0i5cirnnmwq";
    })
    (fp {
      name = "CVE-2018-20362.patch";
      pname = "0009-syntax.c-check-for-syntax-element-inconsistencies";
      sha256 = "1z849l5qyvhyn5pvm6r07fa50nrn8nsqnrka2nnzgkhxlhvzpa81";
    })
    (fp {
      name = "CVE-2018-20194.patch";
      pname = "0010-sbr_hfadj-sanitize-frequency-band-borders";
      sha256 = "1b1kbz4mv0zhpq8h3djnvqafh1gn12nikk9v3jrxyryywacirah4";
    })
  ];

  configureFlags = []
    ++ optional drmSupport "--with-drm";

  meta = {
    description = "An open source MPEG-4 and MPEG-2 AAC decoder";
    homepage    = "https://www.audiocoding.com/faad2.html";
    license     = licenses.gpl2;
    maintainers = with maintainers; [ codyopel ];
    platforms   = platforms.all;
  };
}