From 1e874cd5ff44c6beecee83c216e97a4424bb1dbb Mon Sep 17 00:00:00 2001
From: "Benjamin A. Beasley" <code@musicinmybrain.net>
Date: Fri, 22 Oct 2021 13:25:02 -0400
Subject: [PATCH] Security fix for CVE-2021-42715 and CVE-2021-42716

---
 1223.patch | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 stb.spec   | 26 ++++++++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 1223.patch

diff --git a/1223.patch b/1223.patch
new file mode 100644
index 0000000..b5282e1
--- /dev/null
+++ b/1223.patch
@@ -0,0 +1,59 @@
+From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Thu, 7 Oct 2021 13:00:32 -0700
+Subject: [PATCH] Fixes two stb_image issues that could occur with specially
+ constructed HDR and PGM files.
+
+Signed-off-by: Neil Bickford <nbickford@nvidia.com>
+---
+ stb_image.h | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index d60371b95..8518c05e7 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -108,7 +108,7 @@ RECENT REVISION HISTORY:
+     Cass Everitt            Ryamond Barbiero                        github:grim210
+     Paul Du Bois            Engin Manap        Aldo Culquicondor    github:sammyhw
+     Philipp Wiesemann       Dale Weiler        Oriol Ferrer Mesia   github:phprus
+-    Josh Tobin                                 Matthew Gregan       github:poppolopoppo
++    Josh Tobin              Neil Bickford      Matthew Gregan       github:poppolopoppo
+     Julian Raschke          Gregory Mullen     Christian Floisand   github:darealshinji
+     Baldur Karlsson         Kevin Schmidt      JR Smith             github:Michaelangel007
+                             Brad Weinberger    Matvey Cherevko      github:mosra
+@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
+                   // Run
+                   value = stbi__get8(s);
+                   count -= 128;
+-                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
++                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                   for (z = 0; z < count; ++z)
+                      scanline[i++ * 4 + k] = value;
+                } else {
+                   // Dump
+-                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
++                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                   for (z = 0; z < count; ++z)
+                      scanline[i++ * 4 + k] = stbi__get8(s);
+                }
+@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
+ 
+    out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
+    if (!out) return stbi__errpuc("outofmem", "Out of memory");
+-   stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
++   if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
++      STBI_FREE(out);
++      return stbi__errpuc("bad PNM", "PNM file truncated");
++   }
+ 
+    if (req_comp && req_comp != s->img_n) {
+-      out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
++      if (ri->bits_per_channel == 16) {
++         out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
++      } else {
++         out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
++      }
+       if (out == NULL) return out; // stbi__convert_format frees input on failure
+    }
+    return out;
diff --git a/stb.spec b/stb.spec
index 424583f..9099076 100644
--- a/stb.spec
+++ b/stb.spec
@@ -54,6 +54,32 @@ Patch3:         %{forgeurl}/pull/1198.patch
 # https://github.com/nothings/stb/pull/1198
 Patch4:         %{forgeurl}/pull/1204.patch
 
+# Candidate fix for:
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42715
+#
+# In stb_image's HDR reader, loading a specially constructed invalid HDR file
+# can result in an infinite loop within the RLE decoder
+# https://github.com/nothings/stb/issues/1224
+#
+# ----
+#
+# Additionally, this is a candidate fix for:
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42716
+#
+# stbi__pnm_load heap-buffer-overflow bug
+# https://github.com/nothings/stb/issues/1166
+#
+# In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM
+# file with 4 channels can cause a crash due to an out-of-bounds read
+# https://github.com/nothings/stb/issues/1225
+#
+# ----
+#
+# Fixes a crash and an infinite loop in stb_image that could occur with
+# specially constructed PGM and HDR files
+# https://github.com/nothings/stb/pull/1223
+Patch5:         %{forgeurl}/pull/1223.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94