From f2af82288cc076d9213cd4854c660d89a300d818 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Fri, 22 Oct 2021 13:25:02 -0400 Subject: [PATCH] Security fix for CVE-2021-42715 and CVE-2021-42716 --- 1223.patch | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ stb.spec | 31 +++++++++++++++++++++++++++- 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 1223.patch diff --git a/1223.patch b/1223.patch new file mode 100644 index 0000000..b5282e1 --- /dev/null +++ b/1223.patch @@ -0,0 +1,59 @@ +From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001 +From: Neil Bickford +Date: Thu, 7 Oct 2021 13:00:32 -0700 +Subject: [PATCH] Fixes two stb_image issues that could occur with specially + constructed HDR and PGM files. + +Signed-off-by: Neil Bickford +--- + stb_image.h | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/stb_image.h b/stb_image.h +index d60371b95..8518c05e7 100644 +--- a/stb_image.h ++++ b/stb_image.h +@@ -108,7 +108,7 @@ RECENT REVISION HISTORY: + Cass Everitt Ryamond Barbiero github:grim210 + Paul Du Bois Engin Manap Aldo Culquicondor github:sammyhw + Philipp Wiesemann Dale Weiler Oriol Ferrer Mesia github:phprus +- Josh Tobin Matthew Gregan github:poppolopoppo ++ Josh Tobin Neil Bickford Matthew Gregan github:poppolopoppo + Julian Raschke Gregory Mullen Christian Floisand github:darealshinji + Baldur Karlsson Kevin Schmidt JR Smith github:Michaelangel007 + Brad Weinberger Matvey Cherevko github:mosra +@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re + // Run + value = stbi__get8(s); + count -= 128; +- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } ++ if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } + for (z = 0; z < count; ++z) + scanline[i++ * 4 + k] = value; + } else { + // Dump +- if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } ++ if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); } + for (z = 0; z < count; ++z) + scanline[i++ * 4 + k] = stbi__get8(s); + } +@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req + + out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0); + if (!out) return stbi__errpuc("outofmem", "Out of memory"); +- stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8)); ++ if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) { ++ STBI_FREE(out); ++ return stbi__errpuc("bad PNM", "PNM file truncated"); ++ } + + if (req_comp && req_comp != s->img_n) { +- out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y); ++ if (ri->bits_per_channel == 16) { ++ out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y); ++ } else { ++ out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y); ++ } + if (out == NULL) return out; // stbi__convert_format frees input on failure + } + return out; diff --git a/stb.spec b/stb.spec index 1826d33..513df21 100644 --- a/stb.spec +++ b/stb.spec @@ -21,7 +21,7 @@ Name: stb # https://github.com/nothings/stb/issues/1101 Version: 0 %forgemeta -Release: 0.6%{?dist} +Release: 0.7%{?dist} Summary: Single-file public domain libraries for C/C++ # See LICENSE. @@ -55,6 +55,32 @@ Patch3: %{forgeurl}/pull/1198.patch # https://github.com/nothings/stb/pull/1198 Patch4: %{forgeurl}/pull/1204.patch +# Candidate fix for: +# https://nvd.nist.gov/vuln/detail/CVE-2021-42715 +# +# In stb_image's HDR reader, loading a specially constructed invalid HDR file +# can result in an infinite loop within the RLE decoder +# https://github.com/nothings/stb/issues/1224 +# +# ---- +# +# Additionally, this is a candidate fix for: +# https://nvd.nist.gov/vuln/detail/CVE-2021-42716 +# +# stbi__pnm_load heap-buffer-overflow bug +# https://github.com/nothings/stb/issues/1166 +# +# In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM +# file with 4 channels can cause a crash due to an out-of-bounds read +# https://github.com/nothings/stb/issues/1225 +# +# ---- +# +# Fixes a crash and an infinite loop in stb_image that could occur with +# specially constructed PGM and HDR files +# https://github.com/nothings/stb/pull/1223 +Patch5: %{forgeurl}/pull/1223.patch + %global stb_c_lexer_version 0.12 %global stb_connected_components_version 0.96 %global stb_divide_version 0.94 @@ -794,6 +820,9 @@ EOF %changelog +* Fri Oct 22 2021 Benjamin A. Beasley - 0-0.7 +- Security fix for CVE-2021-42715 and CVE-2021-42716 + * Fri Oct 22 2021 Benjamin A. Beasley - 0-0.6 - Update to af1a5bc: only issue templates are affected; packaged files should be identical.