Security fix for CVE-2021-42715 and CVE-2021-42716

2021-10-22 13:25:02 -04:00 · 2021-10-22 13:25:02 -04:00 · f2af82288c
commit f2af82288c
parent a96234d6bd
2 changed files with 89 additions and 1 deletions
--- a/1223.patch
+++ b/1223.patch
@ -0,0 +1,59 @@
+From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Thu, 7 Oct 2021 13:00:32 -0700
+Subject: [PATCH] Fixes two stb_image issues that could occur with specially
+ constructed HDR and PGM files.
+
+Signed-off-by: Neil Bickford <nbickford@nvidia.com>
+---
+ stb_image.h | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index d60371b95..8518c05e7 100644
+--- a/stb_image.h
+++ b/stb_image.h
+@@ -108,7 +108,7 @@ RECENT REVISION HISTORY:
+     Cass Everitt            Ryamond Barbiero                        github:grim210
+     Paul Du Bois            Engin Manap        Aldo Culquicondor    github:sammyhw
+     Philipp Wiesemann       Dale Weiler        Oriol Ferrer Mesia   github:phprus
+-    Josh Tobin                                 Matthew Gregan       github:poppolopoppo
+    Josh Tobin              Neil Bickford      Matthew Gregan       github:poppolopoppo
+     Julian Raschke          Gregory Mullen     Christian Floisand   github:darealshinji
+     Baldur Karlsson         Kevin Schmidt      JR Smith             github:Michaelangel007
+                             Brad Weinberger    Matvey Cherevko      github:mosra
+@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
+                   // Run
+                   value = stbi__get8(s);
+                   count -= 128;
+-                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                   for (z = 0; z < count; ++z)
+                      scanline[i++ * 4 + k] = value;
+                } else {
+                   // Dump
+-                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                   for (z = 0; z < count; ++z)
+                      scanline[i++ * 4 + k] = stbi__get8(s);
+                }
+@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
+ 
+    out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
+    if (!out) return stbi__errpuc("outofmem", "Out of memory");
+-   stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
+   if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
+      STBI_FREE(out);
+      return stbi__errpuc("bad PNM", "PNM file truncated");
+   }
+ 
+    if (req_comp && req_comp != s->img_n) {
+-      out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
+      if (ri->bits_per_channel == 16) {
+         out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
+      } else {
+         out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
+      }
+       if (out == NULL) return out; // stbi__convert_format frees input on failure
+    }
+    return out;
--- a/stb.spec
+++ b/stb.spec
@ -21,7 +21,7 @@ Name:           stb
 #   https://github.com/nothings/stb/issues/1101
 Version:        0
 %forgemeta
-Release:        0.6%{?dist}
+Release:        0.7%{?dist}
 Summary:        Single-file public domain libraries for C/C++

 # See LICENSE.
@ -55,6 +55,32 @@ Patch3:         %{forgeurl}/pull/1198.patch
 # https://github.com/nothings/stb/pull/1198
 Patch4:         %{forgeurl}/pull/1204.patch

+# Candidate fix for:
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42715
+#
+# In stb_image's HDR reader, loading a specially constructed invalid HDR file
+# can result in an infinite loop within the RLE decoder
+# https://github.com/nothings/stb/issues/1224
+#
+# ----
+#
+# Additionally, this is a candidate fix for:
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42716
+#
+# stbi__pnm_load heap-buffer-overflow bug
+# https://github.com/nothings/stb/issues/1166
+#
+# In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM
+# file with 4 channels can cause a crash due to an out-of-bounds read
+# https://github.com/nothings/stb/issues/1225
+#
+# ----
+#
+# Fixes a crash and an infinite loop in stb_image that could occur with
+# specially constructed PGM and HDR files
+# https://github.com/nothings/stb/pull/1223
+Patch5:         %{forgeurl}/pull/1223.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94
@ -794,6 +820,9 @@ EOF


 %changelog
+* Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.7
+- Security fix for CVE-2021-42715 and CVE-2021-42716
+
 * Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.6
 - Update to af1a5bc: only issue templates are affected; packaged files should
  be identical.