rpms
/
stb
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Security fix for CVE-2021-42715 and CVE-2021-42716

This commit is contained in:
Benjamin A. Beasley 2021-10-22 13:25:02 -04:00
parent 75c599bb9c
commit 1e874cd5ff
2 changed files with 85 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
1223.patch Normal file
View File

@ -0,0 +1,59 @@
From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001
From: Neil Bickford <nbickford@nvidia.com>
Date: Thu, 7 Oct 2021 13:00:32 -0700
Subject: [PATCH] Fixes two stb_image issues that could occur with specially
constructed HDR and PGM files.
Signed-off-by: Neil Bickford <nbickford@nvidia.com>
---
stb_image.h | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/stb_image.h b/stb_image.h
index d60371b95..8518c05e7 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -108,7 +108,7 @@ RECENT REVISION HISTORY:
Cass Everitt Ryamond Barbiero github:grim210
Paul Du Bois Engin Manap Aldo Culquicondor github:sammyhw
Philipp Wiesemann Dale Weiler Oriol Ferrer Mesia github:phprus
- Josh Tobin Matthew Gregan github:poppolopoppo
+ Josh Tobin Neil Bickford Matthew Gregan github:poppolopoppo
Julian Raschke Gregory Mullen Christian Floisand github:darealshinji
Baldur Karlsson Kevin Schmidt JR Smith github:Michaelangel007
Brad Weinberger Matvey Cherevko github:mosra
@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
// Run
value = stbi__get8(s);
count -= 128;
- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+ if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
for (z = 0; z < count; ++z)
scanline[i++ * 4 + k] = value;
} else {
// Dump
- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+ if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
for (z = 0; z < count; ++z)
scanline[i++ * 4 + k] = stbi__get8(s);
}
@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
if (!out) return stbi__errpuc("outofmem", "Out of memory");
- stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
+ if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
+ STBI_FREE(out);
+ return stbi__errpuc("bad PNM", "PNM file truncated");
+ }
if (req_comp && req_comp != s->img_n) {
- out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
+ if (ri->bits_per_channel == 16) {
+ out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
+ } else {
+ out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
+ }
if (out == NULL) return out; // stbi__convert_format frees input on failure
}
return out;

26
stb.spec
View File

@ -54,6 +54,32 @@ Patch3: %{forgeurl}/pull/1198.patch
# https://github.com/nothings/stb/pull/1198
Patch4: %{forgeurl}/pull/1204.patch
# Candidate fix for:
# https://nvd.nist.gov/vuln/detail/CVE-2021-42715
#
# In stb_image's HDR reader, loading a specially constructed invalid HDR file
# can result in an infinite loop within the RLE decoder
# https://github.com/nothings/stb/issues/1224
#
# ----
#
# Additionally, this is a candidate fix for:
# https://nvd.nist.gov/vuln/detail/CVE-2021-42716
#
# stbi__pnm_load heap-buffer-overflow bug
# https://github.com/nothings/stb/issues/1166
#
# In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM
# file with 4 channels can cause a crash due to an out-of-bounds read
# https://github.com/nothings/stb/issues/1225
#
# ----
#
# Fixes a crash and an infinite loop in stb_image that could occur with
# specially constructed PGM and HDR files
# https://github.com/nothings/stb/pull/1223
Patch5: %{forgeurl}/pull/1223.patch
%global stb_c_lexer_version 0.12
%global stb_connected_components_version 0.96
%global stb_divide_version 0.94