Security fix for CVE-2021-42715 and CVE-2021-42716
This commit is contained in:
parent
75c599bb9c
commit
1e874cd5ff
59
1223.patch
Normal file
59
1223.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001
|
||||
From: Neil Bickford <nbickford@nvidia.com>
|
||||
Date: Thu, 7 Oct 2021 13:00:32 -0700
|
||||
Subject: [PATCH] Fixes two stb_image issues that could occur with specially
|
||||
constructed HDR and PGM files.
|
||||
|
||||
Signed-off-by: Neil Bickford <nbickford@nvidia.com>
|
||||
---
|
||||
stb_image.h | 17 ++++++++++++-----
|
||||
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/stb_image.h b/stb_image.h
|
||||
index d60371b95..8518c05e7 100644
|
||||
--- a/stb_image.h
|
||||
+++ b/stb_image.h
|
||||
@@ -108,7 +108,7 @@ RECENT REVISION HISTORY:
|
||||
Cass Everitt Ryamond Barbiero github:grim210
|
||||
Paul Du Bois Engin Manap Aldo Culquicondor github:sammyhw
|
||||
Philipp Wiesemann Dale Weiler Oriol Ferrer Mesia github:phprus
|
||||
- Josh Tobin Matthew Gregan github:poppolopoppo
|
||||
+ Josh Tobin Neil Bickford Matthew Gregan github:poppolopoppo
|
||||
Julian Raschke Gregory Mullen Christian Floisand github:darealshinji
|
||||
Baldur Karlsson Kevin Schmidt JR Smith github:Michaelangel007
|
||||
Brad Weinberger Matvey Cherevko github:mosra
|
||||
@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
|
||||
// Run
|
||||
value = stbi__get8(s);
|
||||
count -= 128;
|
||||
- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
|
||||
+ if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
|
||||
for (z = 0; z < count; ++z)
|
||||
scanline[i++ * 4 + k] = value;
|
||||
} else {
|
||||
// Dump
|
||||
- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
|
||||
+ if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
|
||||
for (z = 0; z < count; ++z)
|
||||
scanline[i++ * 4 + k] = stbi__get8(s);
|
||||
}
|
||||
@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
|
||||
|
||||
out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
|
||||
if (!out) return stbi__errpuc("outofmem", "Out of memory");
|
||||
- stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
|
||||
+ if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
|
||||
+ STBI_FREE(out);
|
||||
+ return stbi__errpuc("bad PNM", "PNM file truncated");
|
||||
+ }
|
||||
|
||||
if (req_comp && req_comp != s->img_n) {
|
||||
- out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
|
||||
+ if (ri->bits_per_channel == 16) {
|
||||
+ out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
|
||||
+ } else {
|
||||
+ out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
|
||||
+ }
|
||||
if (out == NULL) return out; // stbi__convert_format frees input on failure
|
||||
}
|
||||
return out;
|
26
stb.spec
26
stb.spec
@ -54,6 +54,32 @@ Patch3: %{forgeurl}/pull/1198.patch
|
||||
# https://github.com/nothings/stb/pull/1198
|
||||
Patch4: %{forgeurl}/pull/1204.patch
|
||||
|
||||
# Candidate fix for:
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2021-42715
|
||||
#
|
||||
# In stb_image's HDR reader, loading a specially constructed invalid HDR file
|
||||
# can result in an infinite loop within the RLE decoder
|
||||
# https://github.com/nothings/stb/issues/1224
|
||||
#
|
||||
# ----
|
||||
#
|
||||
# Additionally, this is a candidate fix for:
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2021-42716
|
||||
#
|
||||
# stbi__pnm_load heap-buffer-overflow bug
|
||||
# https://github.com/nothings/stb/issues/1166
|
||||
#
|
||||
# In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM
|
||||
# file with 4 channels can cause a crash due to an out-of-bounds read
|
||||
# https://github.com/nothings/stb/issues/1225
|
||||
#
|
||||
# ----
|
||||
#
|
||||
# Fixes a crash and an infinite loop in stb_image that could occur with
|
||||
# specially constructed PGM and HDR files
|
||||
# https://github.com/nothings/stb/pull/1223
|
||||
Patch5: %{forgeurl}/pull/1223.patch
|
||||
|
||||
%global stb_c_lexer_version 0.12
|
||||
%global stb_connected_components_version 0.96
|
||||
%global stb_divide_version 0.94
|
||||
|
Loading…
Reference in New Issue
Block a user