Security fix for CVE-2021-42715 and CVE-2021-42716

2021-10-22 13:25:02 -04:00 · 2021-10-22 13:25:02 -04:00 · 1e874cd5ff
commit 1e874cd5ff
parent 75c599bb9c
2 changed files with 85 additions and 0 deletions
--- a/1223.patch
+++ b/1223.patch
@ -0,0 +1,59 @@
 From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001
 From: Neil Bickford <nbickford@nvidia.com>
 Date: Thu, 7 Oct 2021 13:00:32 -0700
 Subject: [PATCH] Fixes two stb_image issues that could occur with specially
 constructed HDR and PGM files.
 Signed-off-by: Neil Bickford <nbickford@nvidia.com>
 ---
 stb_image.h | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
 diff --git a/stb_image.h b/stb_image.h
 index d60371b95..8518c05e7 100644
 --- a/stb_image.h
 +++ b/stb_image.h
@@ -108,7 +108,7 @@ RECENT REVISION HISTORY:
     Cass Everitt            Ryamond Barbiero                        github:grim210
     Paul Du Bois            Engin Manap        Aldo Culquicondor    github:sammyhw
     Philipp Wiesemann       Dale Weiler        Oriol Ferrer Mesia   github:phprus
 -    Josh Tobin                                 Matthew Gregan       github:poppolopoppo
 +    Josh Tobin              Neil Bickford      Matthew Gregan       github:poppolopoppo
     Julian Raschke          Gregory Mullen     Christian Floisand   github:darealshinji
     Baldur Karlsson         Kevin Schmidt      JR Smith             github:Michaelangel007
                             Brad Weinberger    Matvey Cherevko      github:mosra
@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
                   // Run
                   value = stbi__get8(s);
                   count -= 128;
 -                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
 +                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
                   for (z = 0; z < count; ++z)
                      scanline[i++ * 4 + k] = value;
                } else {
                   // Dump
 -                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
 +                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
                   for (z = 0; z < count; ++z)
                      scanline[i++ * 4 + k] = stbi__get8(s);
                }
@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
    out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
    if (!out) return stbi__errpuc("outofmem", "Out of memory");
 -   stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
 +   if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
 +      STBI_FREE(out);
 +      return stbi__errpuc("bad PNM", "PNM file truncated");
 +   }
    if (req_comp && req_comp != s->img_n) {
 -      out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
 +      if (ri->bits_per_channel == 16) {
 +         out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
 +      } else {
 +         out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
 +      }
       if (out == NULL) return out; // stbi__convert_format frees input on failure
    }
    return out;
--- a/stb.spec
+++ b/stb.spec
@ -54,6 +54,32 @@ Patch3:         %{forgeurl}/pull/1198.patch
 # https://github.com/nothings/stb/pull/1198
 Patch4:         %{forgeurl}/pull/1204.patch
 # Candidate fix for:
 # https://nvd.nist.gov/vuln/detail/CVE-2021-42715
 #
 # In stb_image's HDR reader, loading a specially constructed invalid HDR file
 # can result in an infinite loop within the RLE decoder
 # https://github.com/nothings/stb/issues/1224
 #
 # ----
 #
 # Additionally, this is a candidate fix for:
 # https://nvd.nist.gov/vuln/detail/CVE-2021-42716
 #
 # stbi__pnm_load heap-buffer-overflow bug
 # https://github.com/nothings/stb/issues/1166
 #
 # In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM
 # file with 4 channels can cause a crash due to an out-of-bounds read
 # https://github.com/nothings/stb/issues/1225
 #
 # ----
 #
 # Fixes a crash and an infinite loop in stb_image that could occur with
 # specially constructed PGM and HDR files
 # https://github.com/nothings/stb/pull/1223
 Patch5:         %{forgeurl}/pull/1223.patch
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94