Fix Version/Provides for reintroduced stb_perlin-devel

- The stb_perlin-devel subpackage has been restored, as upstream
  believes all relevant patents are now expired.

.gitignore

@@ -1 +1,4 @@
 /stb-3a1174060a7dd4eb652d4e6854bc4cd98c159200.tar.gz
+/stb-c0c982601f40183e74d84a61237e968dca08380e.tar.gz
+/stb-af1a5bc352164740c1cc1354942b1c6b72eacb8a.tar.gz
+/stb-8b5f1f37b5b75829fc72d38e7b5d4bcbf8a26d55.tar.gz

1198.patch

@@ -0,0 +1,24 @@
+From f9a5eaee846f1a19fbcda2f5adb5238a94cbbc2f Mon Sep 17 00:00:00 2001
+From: "Benjamin A. Beasley" <code@musicinmybrain.net>
+Date: Tue, 24 Aug 2021 11:45:48 -0400
+Subject: [PATCH] Fix signature of dummy realloc() for STB_VORBIS_NO_CRT
+
+---
+ stb_vorbis.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/stb_vorbis.c b/stb_vorbis.c
+index 3e5c2504c..c1703426e 100644
+--- a/stb_vorbis.c
++++ b/stb_vorbis.c
+@@ -594,8 +594,8 @@ enum STBVorbisError
+ #else // STB_VORBIS_NO_CRT
+    #define NULL 0
+    #define malloc(s)   0
+-   #define free(s)     ((void) 0)
+-   #define realloc(s)  0
++   #define free(p)     ((void) 0)
++   #define realloc(p, s)  0
+ #endif // STB_VORBIS_NO_CRT
+ 
+ #include <limits.h>

1223.patch

@@ -0,0 +1,59 @@
+From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Thu, 7 Oct 2021 13:00:32 -0700
+Subject: [PATCH] Fixes two stb_image issues that could occur with specially
+ constructed HDR and PGM files.
+
+Signed-off-by: Neil Bickford <nbickford@nvidia.com>
+---
+ stb_image.h | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index d60371b95..8518c05e7 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -108,7 +108,7 @@ RECENT REVISION HISTORY:
+     Cass Everitt            Ryamond Barbiero                        github:grim210
+     Paul Du Bois            Engin Manap        Aldo Culquicondor    github:sammyhw
+     Philipp Wiesemann       Dale Weiler        Oriol Ferrer Mesia   github:phprus
+-    Josh Tobin                                 Matthew Gregan       github:poppolopoppo
++    Josh Tobin              Neil Bickford      Matthew Gregan       github:poppolopoppo
+     Julian Raschke          Gregory Mullen     Christian Floisand   github:darealshinji
+     Baldur Karlsson         Kevin Schmidt      JR Smith             github:Michaelangel007
+                             Brad Weinberger    Matvey Cherevko      github:mosra
+@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
+                   // Run
+                   value = stbi__get8(s);
+                   count -= 128;
+-                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
++                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                   for (z = 0; z < count; ++z)
+                      scanline[i++ * 4 + k] = value;
+                } else {
+                   // Dump
+-                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
++                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
+                   for (z = 0; z < count; ++z)
+                      scanline[i++ * 4 + k] = stbi__get8(s);
+                }
+@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
+ 
+    out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
+    if (!out) return stbi__errpuc("outofmem", "Out of memory");
+-   stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
++   if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
++      STBI_FREE(out);
++      return stbi__errpuc("bad PNM", "PNM file truncated");
++   }
+ 
+    if (req_comp && req_comp != s->img_n) {
+-      out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
++      if (ri->bits_per_channel == 16) {
++         out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
++      } else {
++         out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
++      }
+       if (out == NULL) return out; // stbi__convert_format frees input on failure
+    }
+    return out;

1236.patch

@@ -0,0 +1,37 @@
+From 5cf3af3181f7a0fb8d59ca5fe8daa011c1918d19 Mon Sep 17 00:00:00 2001
+From: Ryan Wiedemann <Ryan1729@gmail.com>
+Date: Mon, 25 Oct 2021 22:11:48 -0600
+Subject: [PATCH] Predeclare stbhw__process struct to fix warnings
+
+A subset of the warnings as produced by `clang`.
+```
+./../stb_herringbone_wang_tile.h:369:41: warning: declaration of 'struct stbhw__process' will not be visible outside of this function [-Wvisibility]
+typedef void stbhw__process_rect(struct stbhw__process *p, int xpos, int ypos,
+                                        ^
+./../stb_herringbone_wang_tile.h:401:43: warning: incompatible pointer types passing 'stbhw__process *' (aka 'struct stbhw__process *') to parameter of type 'struct stbhw__process *' [-Wincompatible-pointer-types]
+                        p->process_h_rect(p, xpos, ypos, a,b,c,d,e,f);
+                                          ^
+./../stb_herringbone_wang_tile.h:425:43: warning: incompatible pointer types passing 'stbhw__process *' (aka 'struct stbhw__process *') to parameter of type 'struct stbhw__process *' [-Wincompatible-pointer-types]
+                        p->process_v_rect(p, xpos, ypos, a,b,c,d,e,f);
+                                          ^
+./../stb_herringbone_wang_tile.h:929:21: warning: incompatible pointer types assigning to 'stbhw__process_rect *' (aka 'void (*)(struct stbhw__process *, int, int, int, int, int, int, int, int)') from 'void (stbhw__process *, int, int, int, int, int, int, int, int)' (aka 'void (struct stbhw__process *, int, int, int, int, int, int, int, int)') [-Wincompatible-pointer-types]
+   p.process_h_rect = stbhw__parse_h_rect;
+                    ^ ~~~~~~~~~~~~~~~~~~~
+```
+---
+ stb_herringbone_wang_tile.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/stb_herringbone_wang_tile.h b/stb_herringbone_wang_tile.h
+index 5517941f7a..92c238bb24 100644
+--- a/stb_herringbone_wang_tile.h
++++ b/stb_herringbone_wang_tile.h
+@@ -366,6 +366,8 @@ STBHW_EXTERN const char *stbhw_get_last_error(void)
+ //  need to try to do more sophisticated parsing of edge color
+ //  markup or something.
+ 
++struct stbhw__process;
++
+ typedef void stbhw__process_rect(struct stbhw__process *p, int xpos, int ypos,
+                                  int a, int b, int c, int d, int e, int f);
+ 

1297.patch

@@ -0,0 +1,244 @@
+From fa43122a169eb79ced5789f2f261cee7fd4db221 Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Tue, 22 Feb 2022 23:48:42 -0800
+Subject: [PATCH 1/4] Add checks for PNM integer read overflows, add a 1GB
+ limit on IDAT chunk sizes to fix an OOM issue, and check for a situation
+ where a sequence of bad Huffman code reads could result in a left shift by a
+ negative number.
+
+---
+ stb_image.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/stb_image.h b/stb_image.h
+index d60371b95..6321f5e02 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -2283,6 +2283,7 @@ static int stbi__jpeg_decode_block_prog_ac(stbi__jpeg *j, short data[64], stbi__
+             k += (r >> 4) & 15; // run
+             s = r & 15; // combined length
+             j->code_buffer <<= s;
++            if (s > j->code_bits) return stbi__err("bad huffman code","Combined length longer than code bits available");
+             j->code_bits -= s;
+             zig = stbi__jpeg_dezigzag[k++];
+             data[zig] = (short) ((r >> 8) * (1 << shift));
+@@ -5116,6 +5117,7 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp)
+             if (first) return stbi__err("first not IHDR", "Corrupt PNG");
+             if (pal_img_n && !pal_len) return stbi__err("no PLTE","Corrupt PNG");
+             if (scan == STBI__SCAN_header) { s->img_n = pal_img_n; return 1; }
++            if (c.length > (1u << 30)) return stbi__err("IDAT size limit", "IDAT section larger than 2^30 bytes");
+             if ((int)(ioff + c.length) < (int)ioff) return 0;
+             if (ioff + c.length > idata_limit) {
+                stbi__uint32 idata_limit_old = idata_limit;
+@@ -7486,6 +7488,8 @@ static int      stbi__pnm_getinteger(stbi__context *s, char *c)
+    while (!stbi__at_eof(s) && stbi__pnm_isdigit(*c)) {
+       value = value*10 + (*c - '0');
+       *c = (char) stbi__get8(s);
++      if((value > 214748364) || (value == 214748364 && *c > '7'))
++          return stbi__err("integer parse overflow", "Parsing an integer in the PPM header overflowed a 32-bit int");
+    }
+ 
+    return value;
+@@ -7516,9 +7520,13 @@ static int      stbi__pnm_info(stbi__context *s, int *x, int *y, int *comp)
+    stbi__pnm_skip_whitespace(s, &c);
+ 
+    *x = stbi__pnm_getinteger(s, &c); // read width
++   if(*x == 0)
++       return stbi__err("invalid width", "PPM image header had zero or overflowing width");
+    stbi__pnm_skip_whitespace(s, &c);
+ 
+    *y = stbi__pnm_getinteger(s, &c); // read height
++   if (*y == 0)
++       return stbi__err("invalid width", "PPM image header had zero or overflowing width");
+    stbi__pnm_skip_whitespace(s, &c);
+ 
+    maxv = stbi__pnm_getinteger(s, &c);  // read max value
+
+From 83739b31eeddaaf683948051661ece39af6795cd Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Wed, 23 Feb 2022 00:53:34 -0800
+Subject: [PATCH 2/4] Add range checks to fix a few crash issues in stb_image
+ issues 1289 and 1291
+
+---
+ stb_image.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 6321f5e02..800c83db3 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1985,9 +1985,12 @@ static int stbi__build_huffman(stbi__huffman *h, int *count)
+    int i,j,k=0;
+    unsigned int code;
+    // build size list for each symbol (from JPEG spec)
+-   for (i=0; i < 16; ++i)
+-      for (j=0; j < count[i]; ++j)
++   for (i=0; i < 16; ++i) {
++      for (j=0; j < count[i]; ++j) {
+          h->size[k++] = (stbi_uc) (i+1);
++         if(k >= 257) return stbi__err("bad size list","Corrupt JPEG");
++      }
++   }
+    h->size[k] = 0;
+ 
+    // compute actual symbols (from jpeg spec)
+@@ -2112,6 +2115,8 @@ stbi_inline static int stbi__jpeg_huff_decode(stbi__jpeg *j, stbi__huffman *h)
+ 
+    // convert the huffman code to the symbol id
+    c = ((j->code_buffer >> (32 - k)) & stbi__bmask[k]) + h->delta[k];
++   if(c < 0 || c >= 256) // symbol id out of bounds!
++       return -1;
+    STBI_ASSERT((((j->code_buffer) >> (32 - h->size[c])) & stbi__bmask[h->size[c]]) == h->code[c]);
+ 
+    // convert the id to a symbol
+@@ -3103,6 +3108,7 @@ static int stbi__process_marker(stbi__jpeg *z, int m)
+                sizes[i] = stbi__get8(z->s);
+                n += sizes[i];
+             }
++            if(n > 256) return stbi__err("bad DHT header","Corrupt JPEG"); // Loop over i < n would write past end of values!
+             L -= 17;
+             if (tc == 0) {
+                if (!stbi__build_huffman(z->huff_dc+th, sizes)) return 0;
+
+From 2cdd738fd112e11bec8d7b2ee96449741a203ee2 Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Wed, 23 Feb 2022 23:48:49 -0800
+Subject: [PATCH 3/4] Add checks for signed integer overflow; further guard
+ against cases where stbi__grow_buffer_unsafe doesn't read all bits required.
+
+---
+ stb_image.h | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 800c83db3..9d10099bb 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1063,6 +1063,23 @@ static void *stbi__malloc_mad4(int a, int b, int c, int d, int add)
+ }
+ #endif
+ 
++// returns 1 if the sum of two signed ints is valid (between -2^31 and 2^31-1 inclusive), 0 on overflow.
++static int stbi__addints_valid(int a, int b)
++{
++   if ((a >= 0) != (b >= 0)) return 1; // a and b have different signs, so no overflow
++   if (a < 0 && b < 0) return a >= INT_MIN - b; // same as a + b >= INT_MIN; INT_MIN - b cannot overflow since b < 0.
++   return a <= INT_MAX - b;
++}
++
++// returns 1 if the product of two signed shorts is valid, 0 on overflow.
++static int stbi__mul2shorts_valid(short a, short b)
++{
++   if (b == 0 || b == -1) return 1; // multiplication by 0 is always 0; check for -1 so SHRT_MIN/b doesn't overflow
++   if ((a >= 0) == (b >= 0)) return a <= SHRT_MAX/b; // product is positive, so similar to mul2sizes_valid
++   if (b < 0) return a <= SHRT_MIN / b; // same as a * b >= SHRT_MIN
++   return a >= SHRT_MIN / b;
++}
++
+ // stbi__err - error
+ // stbi__errpf - error returning pointer to float
+ // stbi__errpuc - error returning pointer to unsigned char
+@@ -2135,6 +2152,7 @@ stbi_inline static int stbi__extend_receive(stbi__jpeg *j, int n)
+    unsigned int k;
+    int sgn;
+    if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
++   if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
+ 
+    sgn = j->code_buffer >> 31; // sign bit always in MSB; 0 if MSB clear (positive), 1 if MSB set (negative)
+    k = stbi_lrot(j->code_buffer, n);
+@@ -2149,6 +2167,7 @@ stbi_inline static int stbi__jpeg_get_bits(stbi__jpeg *j, int n)
+ {
+    unsigned int k;
+    if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
++   if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
+    k = stbi_lrot(j->code_buffer, n);
+    j->code_buffer = k & ~stbi__bmask[n];
+    k &= stbi__bmask[n];
+@@ -2160,6 +2179,7 @@ stbi_inline static int stbi__jpeg_get_bit(stbi__jpeg *j)
+ {
+    unsigned int k;
+    if (j->code_bits < 1) stbi__grow_buffer_unsafe(j);
++   if (j->code_bits < 1) return 0; // ran out of bits from stream, return 0s intead of continuing
+    k = j->code_buffer;
+    j->code_buffer <<= 1;
+    --j->code_bits;
+@@ -2197,8 +2217,10 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
+    memset(data,0,64*sizeof(data[0]));
+ 
+    diff = t ? stbi__extend_receive(j, t) : 0;
++   if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta","Corrupt JPEG");
+    dc = j->img_comp[b].dc_pred + diff;
+    j->img_comp[b].dc_pred = dc;
++   if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
+    data[0] = (short) (dc * dequant[0]);
+ 
+    // decode AC components, see JPEG spec
+@@ -2212,6 +2234,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
+       if (r) { // fast-AC path
+          k += (r >> 4) & 15; // run
+          s = r & 15; // combined length
++         if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
+          j->code_buffer <<= s;
+          j->code_bits -= s;
+          // decode into unzigzag'd location
+@@ -2251,8 +2274,10 @@ static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__
+       if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
+       diff = t ? stbi__extend_receive(j, t) : 0;
+ 
++      if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta", "Corrupt JPEG");
+       dc = j->img_comp[b].dc_pred + diff;
+       j->img_comp[b].dc_pred = dc;
++      if (!stbi__mul2shorts_valid(dc, 1 << j->succ_low)) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
+       data[0] = (short) (dc * (1 << j->succ_low));
+    } else {
+       // refinement scan for DC coefficient
+@@ -2287,8 +2312,8 @@ static int stbi__jpeg_decode_block_prog_ac(stbi__jpeg *j, short data[64], stbi__
+          if (r) { // fast-AC path
+             k += (r >> 4) & 15; // run
+             s = r & 15; // combined length
++            if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
+             j->code_buffer <<= s;
+-            if (s > j->code_bits) return stbi__err("bad huffman code","Combined length longer than code bits available");
+             j->code_bits -= s;
+             zig = stbi__jpeg_dezigzag[k++];
+             data[zig] = (short) ((r >> 8) * (1 << shift));
+
+From 51e438b04b50eb98540f6df6057004214e9cc81c Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Fri, 25 Feb 2022 14:27:31 -0800
+Subject: [PATCH 4/4] Zero-initialize stbi__jpeg to avoid intermittent errors
+ found by fuzz-testing
+
+---
+ stb_image.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/stb_image.h b/stb_image.h
+index 9d10099bb..631e4e51c 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -4008,6 +4008,7 @@ static void *stbi__jpeg_load(stbi__context *s, int *x, int *y, int *comp, int re
+    unsigned char* result;
+    stbi__jpeg* j = (stbi__jpeg*) stbi__malloc(sizeof(stbi__jpeg));
+    if (!j) return stbi__errpuc("outofmem", "Out of memory");
++   memset(j, 0, sizeof(stbi__jpeg));
+    STBI_NOTUSED(ri);
+    j->s = s;
+    stbi__setup_jpeg(j);
+@@ -4021,6 +4022,7 @@ static int stbi__jpeg_test(stbi__context *s)
+    int r;
+    stbi__jpeg* j = (stbi__jpeg*)stbi__malloc(sizeof(stbi__jpeg));
+    if (!j) return stbi__err("outofmem", "Out of memory");
++   memset(j, 0, sizeof(stbi__jpeg));
+    j->s = s;
+    stbi__setup_jpeg(j);
+    r = stbi__decode_jpeg_header(j, STBI__SCAN_type);
+@@ -4046,6 +4048,7 @@ static int stbi__jpeg_info(stbi__context *s, int *x, int *y, int *comp)
+    int result;
+    stbi__jpeg* j = (stbi__jpeg*) (stbi__malloc(sizeof(stbi__jpeg)));
+    if (!j) return stbi__err("outofmem", "Out of memory");
++   memset(j, 0, sizeof(stbi__jpeg));
+    j->s = s;
+    result = stbi__jpeg_info_raw(j, x, y, comp);
+    STBI_FREE(j);

changelog

@@ -0,0 +1,27 @@
+* Wed Apr 20 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.8
+- Security fix for CVE-2022-28041
+
+* Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.7
+- Security fix for CVE-2021-42715 and CVE-2021-42716
+
+* Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.6
+- Update to af1a5bc: only issue templates are affected; packaged files should
+  be identical.
+
+* Thu Sep 09 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.5
+- Update to c0c9826 (fix RHBZ#2002436)
+- Removed and obsoleted stb_perlin-devel due to possible patents
+- Updated stb_truetype to 1.26
+- Bug fixes in stb_image (no new version number)
+
+* Tue Aug 24 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.4
+- Fix signature of dummy realloc() for STB_VORBIS_NO_CRT
+
+* Mon Aug 23 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.3
+- Use symlinks so including "stb_foo.h" and "stb/stb_foo.h" both work
+
+* Mon Aug 23 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.2
+- Fix duplicated snapshot information
+
+* Mon Aug 23 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.1.20210728git3a11740
+- Initial package for EPEL8

sources

@@ -1 +1 @@
-SHA512 (stb-3a1174060a7dd4eb652d4e6854bc4cd98c159200.tar.gz) = 282318244dd1002eeb6bff5c43d7ccbca26d001d5820018c354b8706bcd91e947056a5aafefcb922730cab5cabc05a03fb6576b6eb21ff76d54a4d71888f39fe
+SHA512 (stb-8b5f1f37b5b75829fc72d38e7b5d4bcbf8a26d55.tar.gz) = 76e0ed7536146aac71f89d6246235221c1dc0bd035ae4b33d496213acf5be95413cae4455a3f1419f84113320f7bd662dc50b47788cbdc8e7208bbbbcfd23f98

stb.spec

@@ -1,14 +1,18 @@
-%global forgeurl https://github.com/nothings/%{name}
-%global commit 3a1174060a7dd4eb652d4e6854bc4cd98c159200
+%global commit 8b5f1f37b5b75829fc72d38e7b5d4bcbf8a26d55
+%global snapdate 20220908
 
-# We choose not to package the “stb_include” library (stb_include.h) because it
-# is so rife with old-school blithe C behavior—wanton use of strcat/strcpy into
-# a fixed-length buffer that is assumed (but not proven) to be large enough for
-# all possible uses, ignoring possible I/O errors (possibly leading to
-# undefined behavior from reading uninitialized memory), and so on. Making it
-# safe to use would mean a substantial rewrite.
+# We choose not to package the “stb_include” library (stb_include.h) because,
+# during the package review, it was observed that it follows coding practices
+# that make it dangerous to use on untrusted inputs, including but not limited
+# to:
 #
-# If a request for this library arises, this decision may be revisited, or the
+# - It uses of strcat/strcpy into a fixed-length buffer that is assumed (but
+#   not proven) to be large enough for all possible uses
+# - It ignores I/O errors (possibly leading to undefined behavior from reading
+#   uninitialized memory), and so on. Making it
+#
+# A substantial rewrite would be required to mitigate these concerns. If a
+# request for this library arises, this decision may be revisited, or the
 # necessary rewrite may be done and offered upstream. For now, we omit the
 # library and expect it will not be missed.
 %bcond_with stb_include
@@ -18,9 +22,9 @@ Name:           stb
 # collection is not, and there are no releases. See:
 #   https://github.com/nothings/stb/issues/359
 #   https://github.com/nothings/stb/issues/1101
+%global snapinfo %{snapdate}git%(echo '%{commit}' | cut -b -7)
 Version:        0
-%forgemeta
-Release:        %autorelease -p
+Release:        %autorelease -p -s %{snapinfo}
 Summary:        Single-file public domain libraries for C/C++
 
 # See LICENSE.
@@ -31,20 +35,75 @@ License:        MIT or Unlicense
 # - deprecated/rrsprintf.h, tests/caveview/stb_gl.h, and
 #   tests/caveview/win32/SDL_windows_main.c are Public Domain
 # - tests/caveview/glext.h is MIT (only)
-URL:            %{forgeurl}
-Source0:        %{forgesource}
+URL:            https://github.com/nothings/stb
+Source0:        %{url}/archive/%{commit}/stb-%{commit}.tar.gz
 
 # Fix undefined behavior from array “shape-punning”
 # https://github.com/nothings/stb/pull/1194
-Patch0:         %{forgeurl}//pull/1194.patch
+Patch0:         %{url}/pull/1194.patch
 
 # Fix misleading indentation in stb_divide.h
 # https://github.com/nothings/stb/pull/1195
-Patch1:         %{forgeurl}//pull/1195.patch
+Patch1:         %{url}/pull/1195.patch
 
 # Trivial fix for array-in-structure initialization (missing braces warning)
 # https://github.com/nothings/stb/pull/1196
-Patch2:         %{forgeurl}//pull/1196.patch
+Patch2:         %{url}/pull/1196.patch
+
+# Fix signature of dummy realloc() for STB_VORBIS_NO_CRT
+# https://github.com/nothings/stb/pull/1198
+Patch3:         %{url}/pull/1198.patch
+
+# Candidate fix for:
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42715
+#
+# In stb_image's HDR reader, loading a specially constructed invalid HDR file
+# can result in an infinite loop within the RLE decoder
+# https://github.com/nothings/stb/issues/1224
+#
+# ----
+#
+# Additionally, this is a candidate fix for:
+# https://nvd.nist.gov/vuln/detail/CVE-2021-42716
+#
+# stbi__pnm_load heap-buffer-overflow bug
+# https://github.com/nothings/stb/issues/1166
+#
+# In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM
+# file with 4 channels can cause a crash due to an out-of-bounds read
+# https://github.com/nothings/stb/issues/1225
+#
+# ----
+#
+# Fixes a crash and an infinite loop in stb_image that could occur with
+# specially constructed PGM and HDR files
+# https://github.com/nothings/stb/pull/1223
+Patch4:         %{url}/pull/1223.patch
+
+# Forward declare stbhw__process struct to fix warnings
+# https://github.com/nothings/stb/pull/1225
+#
+# We don’t see these warnings in the “compile tests”, but we can reproduce them
+# by manually compiling tests/herringbone_map.c; a real user of the
+# stb_herringbone_wang_tile library would encounter them; and inspection of the
+# patch shows it to be correct.
+Patch5:         %{url}/pull/1236.patch
+
+# Candidate fix for:
+# https://nvd.nist.gov/vuln/detail/CVE-2022-28041
+#
+# stb_image.h v2.27 was discovered to contain an integer overflow via the
+# function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers
+# to cause a Denial of Service (DoS) via unspecified vectors.
+#
+# UBSAN: integer overflow
+# https://github.com/nothings/stb/issues/1292
+#
+# ----
+#
+# Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292, and 1293
+# https://github.com/nothings/stb/pull/1297
+Patch6:         %{url}/pull/1297.patch
 
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
@@ -64,7 +123,7 @@ Patch2:         %{forgeurl}//pull/1196.patch
 %global stb_sprintf_version 1.10
 %global stb_textedit_version 1.14
 %global stb_tilemap_editor_version 0.42
-%global stb_truetype_version 1.25
+%global stb_truetype_version 1.26
 %global stb_vorbis_version 1.22
 %global stb_voxel_render_version 0.89
 
@@ -82,11 +141,11 @@ BuildRequires:  /usr/bin/convert
 
 
 %package devel
-Summary:        Development files for %{name}
+Summary:        Development files for stb
 
 # Dependent packages should prefer to BuildRequire the -static packages for the
 # specific stb libraries they use.
-Provides:       %{name}-static = %{version}-%{release}
+Provides:       stb-static = %{version}-%{release}
 
 Requires:       stb_c_lexer-devel%{?_isa} = %{stb_c_lexer_version}-%{release}
 Requires:       stb_c_lexer-static = %{stb_c_lexer_version}-%{release}
@@ -134,14 +193,14 @@ Requires:       stb_voxel_render-devel%{?_isa} = %{stb_voxel_render_version}-%{r
 Requires:       stb_voxel_render-static = %{stb_voxel_render_version}-%{release}
 
 %description devel
-The %{name}-devel package contains libraries and header files for developing
-applications that use %{name}.
+The stb-devel package contains libraries and header files for developing
+applications that use stb.
 
 This is a metapackage that requires the -devel packages for all stb libraries.
 
 
 %package -n stb_c_lexer-devel
-Summary:        Lexer for making little C-like languages with recursive-descent parsers
+Summary:        Simplify writing parsers for C-like languages
 Version:        %{stb_c_lexer_version}
 
 Provides:       stb_c_lexer-static = %{stb_c_lexer_version}-%{release}
@@ -151,7 +210,7 @@ Lexer for making little C-like languages with recursive-descent parsers.
 
 
 %package -n stb_connected_components-devel
-Summary:        Connected components on grids
+Summary:        Incrementally compute reachability on grids
 Version:        %{stb_connected_components_version}
 
 Provides:       stb_connected_components-static = %{stb_connected_components_version}-%{release}
@@ -165,17 +224,23 @@ their orthogonal neighbors, not diagonally.
 
 
 %package -n stb_divide-devel
-Summary:        Three kinds of divide/modulus of signed integers
+Summary:        More useful 32-bit modulus e.g. “Euclidean divide”
 Version:        %{stb_divide_version}
 
 Provides:       stb_divide-static = %{stb_divide_version}-%{release}
 
 %description -n stb_divide-devel
-Three kinds of divide/modulus of signed integers.
+This file provides three different consistent divide/mod pairs
+implemented on top of arbitrary C/C++ division, including correct
+handling of overflow of intermediate calculations:
+
+    trunc:   a/b truncates to 0,           a%b has same sign as a
+    floor:   a/b truncates to -inf,        a%b has same sign as b
+    eucl:    a/b truncates to sign(b)*inf, a%b is non-negative
 
 
 %package -n stb_ds-devel
-Summary:        Data structures
+Summary:        Typesafe dynamic array and hash tables for C, will compile in C++
 Version:        %{stb_ds_version}
 
 Provides:       stb_ds-static = %{stb_ds_version}-%{release}
@@ -184,12 +249,11 @@ Provides:       stb_ds-static = %{stb_ds_version}-%{release}
 This is a single-header-file library that provides easy-to-use dynamic arrays
 and hash tables for C (also works in C++).
 
-For a gentle introduction:
-   http://nothings.org/stb_ds
+For a gentle introduction: https://nothings.org/stb_ds
 
 
 %package -n stb_dxt-devel
-Summary:        DXT1/DXT5 compressor
+Summary:        Fabian “ryg” Giesen’s real-time DXT compressor
 Version:        %{stb_dxt_version}
 
 Provides:       stb_dxt-static = %{stb_dxt_version}-%{release}
@@ -198,9 +262,8 @@ Provides:       stb_dxt-static = %{stb_dxt_version}-%{release}
 DXT1/DXT5 compressor.
 
 
-
 %package -n stb_easy_font-devel
-Summary:        Bitmap font for 3D rendering
+Summary:        Quick-and-dirty easy-to-deploy bitmap font for printing frame rate, etc
 Version:        %{stb_easy_font_version}
 
 Provides:       stb_easy_font-static = %{stb_easy_font_version}-%{release}
@@ -220,7 +283,7 @@ Doesn’t use any textures, instead builds characters out of quads.
 
 
 %package -n stb_herringbone_wang_tile-devel
-Summary:        Herringbone Wang Tile Generator
+Summary:        Herringbone Wang tile map generator
 Version:        %{stb_herringbone_wang_tile_version}
 
 Provides:       stb_herringbone_wang_tile-static = %{stb_herringbone_wang_tile_version}-%{release}
@@ -245,7 +308,7 @@ loading the tile set and specifying the constraints explicitly yourself.
 
 
 %package -n stb_hexwave-devel
-Summary:        A flexible anti-aliased (bandlimited) digital audio oscillator
+Summary:        Audio waveform synthesizer
 Version:        %{stb_hexwave_version}
 
 Provides:       stb_hexwave-static = %{stb_hexwave_version}-%{release}
@@ -261,17 +324,20 @@ multiple voices, etc.
 
 
 %package -n stb_image-devel
-Summary:        Image loader
+Summary:        Image loading/decoding from file/memory: JPG, PNG, TGA, BMP, PSD, GIF, HDR, PIC
 Version:        %{stb_image_version}
 
 Provides:       stb_image-static = %{stb_image_version}-%{release}
 
 %description -n stb_image-devel
-Image loader.
+%{summary}.
+
+Primarily of interest to game developers and other people who can avoid
+problematic images and only need the trivial interface.
 
 
 %package -n stb_image_resize-devel
-Summary:        Image resizing
+Summary:        Resize images larger/smaller with good quality
 Version:        %{stb_image_resize_version}
 
 Provides:       stb_image_resize-static = %{stb_image_resize_version}-%{release}
@@ -286,7 +352,7 @@ w/Mitchell filter, upsamples w/cubic interpolation.
 
 
 %package -n stb_image_write-devel
-Summary:        Writes out PNG/BMP/TGA/JPEG/HDR images to C stdio
+Summary:        Image writing to disk: PNG, TGA, BMP
 Version:        %{stb_image_write_version}
 
 Provides:       stb_image_write-static = %{stb_image_write_version}-%{release}
@@ -303,7 +369,7 @@ run-time performance.
 
 %if %{with stb_include}
 %package -n stb_include-devel
-Summary:        Parse and process #include directives
+Summary:        Implement recursive #include support, particularly for GLSL
 Version:        %{stb_include_version}
 
 Provides:       stb_include-static = %{stb_include_version}-%{release}
@@ -323,27 +389,27 @@ API.
 
 
 %package -n stb_leakcheck-devel
-Summary:        Quick and dirty malloc leak-checking
+Summary:        Quick-and-dirty malloc/free leak-checking
 Version:        %{stb_leakcheck_version}
 
 Provides:       stb_leakcheck-static = %{stb_leakcheck_version}-%{release}
 
 %description -n stb_leakcheck-devel
-Quick and dirty malloc leak-checking.
+%{summary}.
 
 
 %package -n stb_perlin-devel
-Summary:        Perlin noise
+Summary:        Perlin’s revised simplex noise w/ different seeds
 Version:        %{stb_perlin_version}
 
 Provides:       stb_perlin-static = %{stb_perlin_version}-%{release}
 
 %description -n stb_perlin-devel
-Perlin noise.
+%{summary}.
 
 
 %package -n stb_rect_pack-devel
-Summary:        Rectangle packing
+Summary:        Simple 2D rectangle packer with decent quality
 Version:        %{stb_rect_pack_version}
 
 Provides:       stb_rect_pack-static = %{stb_rect_pack_version}-%{release}
@@ -365,7 +431,7 @@ same API, but with a different init function.
 
 
 %package -n stb_sprintf-devel
-Summary:        Implementation of snprintf()
+Summary:        Fast sprintf, snprintf for C/C++
 Version:        %{stb_sprintf_version}
 
 Provides:       stb_sprintf-static = %{stb_sprintf_version}-%{release}
@@ -396,7 +462,7 @@ when using MSVC static libs, calling sprintf drags in 16K.
 
 
 %package -n stb_textedit-devel
-Summary:        Guts of a multi-line text-editing widget
+Summary:        Guts of a text editor for games etc., implementing them from scratch
 Version:        %{stb_textedit_version}
 
 Provides:       stb_textedit-static = %{stb_textedit_version}-%{release}
@@ -416,7 +482,7 @@ Non-trivial behaviors are modelled after Windows text controls.
 
 
 %package -n stb_tilemap_editor-devel
-Summary:        Embeddable tilemap editor for C/C++
+Summary:        Embeddable tilemap editor
 Version:        %{stb_tilemap_editor_version}
 
 Provides:       stb_tilemap_editor-static = %{stb_tilemap_editor_version}-%{release}
@@ -426,7 +492,7 @@ Embeddable tilemap editor for C/C++.
 
 
 %package -n stb_truetype-devel
-Summary:        Processes TrueType Files
+Summary:        Parse, decode, and rasterize characters from TrueType fonts
 Version:        %{stb_truetype_version}
 
 Provides:       stb_truetype-static = %{stb_truetype_version}-%{release}
@@ -451,7 +517,7 @@ This library processes TrueType files:
 
 
 %package -n stb_vorbis-devel
-Summary:        Ogg Vorbis audio decoder
+Summary:        Decode Ogg Vorbis files from file/memory to float/16-bit signed output
 Version:        %{stb_vorbis_version}
 
 Provides:       stb_vorbis-static = %{stb_vorbis_version}-%{release}
@@ -496,15 +562,15 @@ them.
 
 
 %package doc
-Summary:        Documentation for %{name}
+Summary:        Documentation for stb
 BuildArch:      noarch
 
 %description doc
-Documentation for %{name}.
+Documentation for stb.
 
 
 %prep
-%forgeautosetup -p1
+%autosetup -n stb-%{commit} -p1
 
 # Append to OS build flags rather than overriding them
 #
@@ -548,10 +614,21 @@ sed -r -i '/#include[[:blank:]]+"stb_include.h"/d' tests/test_c_compilation.c
 # unprecedented. Any .c file in stb is meant to be #include’d and used as a
 # header-only library, just as the “.h” files in the other stb libraries. The
 # only difference is the file extension.
-install -t '%{buildroot}%{_includedir}' -p -m 0644 -D stb_*.h stb_*.c
+#
+# Since these are designed to be copied into dependent package source trees,
+# there is no convention on include paths. Most projects end up using “#include
+# <stb_foo.h>” or “#include <stb/stb_foo.h>”, so we install to
+# %%{_includedir}/stb/stb_foo.h and %%{_includedir}/stb_foo.h, with the latter
+# as a symbolic link to the former. This means most projects can unbundle the
+# library without having to make their own local symlinks or patch their
+# sources.
+install -t '%{buildroot}%{_includedir}/stb' -p -m 0644 -D stb_*.h stb_*.c
 %if %{without stb_include}
-rm -vf '%{buildroot}%{_includedir}/stb_include.h'
+rm -vf '%{buildroot}%{_includedir}/stb/stb_include.h'
 %endif
+pushd '%{buildroot}%{_includedir}'
+ln -sv stb/stb_*.? .
+popd
 
 
 %check
@@ -621,108 +698,171 @@ EOF
 
 %files -n stb_c_lexer-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_c_lexer.h
 %{_includedir}/stb_c_lexer.h
 
 
 %files -n stb_connected_components-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_connected_components.h
 %{_includedir}/stb_connected_components.h
 
 
 %files -n stb_divide-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_divide.h
 %{_includedir}/stb_divide.h
 
 
 %files -n stb_ds-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_ds.h
 %{_includedir}/stb_ds.h
 
 
 %files -n stb_dxt-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_dxt.h
 %{_includedir}/stb_dxt.h
 
 
 %files -n stb_easy_font-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_easy_font.h
 %{_includedir}/stb_easy_font.h
 
 
 %files -n stb_herringbone_wang_tile-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_herringbone_wang_tile.h
 %{_includedir}/stb_herringbone_wang_tile.h
 
 
 %files -n stb_hexwave-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_hexwave.h
 %{_includedir}/stb_hexwave.h
 
 
 %files -n stb_image-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_image.h
 %{_includedir}/stb_image.h
 
 
 %files -n stb_image_resize-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_image_resize.h
 %{_includedir}/stb_image_resize.h
 
 
 %files -n stb_image_write-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_image_write.h
 %{_includedir}/stb_image_write.h
 
 
 %if %{with stb_include}
 %files -n stb_include-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_include.h
 %{_includedir}/stb_include.h
 %endif
 
 
 %files -n stb_leakcheck-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_leakcheck.h
 %{_includedir}/stb_leakcheck.h
 
 
 %files -n stb_perlin-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_perlin.h
 %{_includedir}/stb_perlin.h
 
 
 %files -n stb_rect_pack-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_rect_pack.h
 %{_includedir}/stb_rect_pack.h
 
 
 %files -n stb_sprintf-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_sprintf.h
 %{_includedir}/stb_sprintf.h
 
 
 %files -n stb_textedit-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_textedit.h
 %{_includedir}/stb_textedit.h
 
 
 %files -n stb_tilemap_editor-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_tilemap_editor.h
 %{_includedir}/stb_tilemap_editor.h
 
 
 %files -n stb_truetype-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_truetype.h
 %{_includedir}/stb_truetype.h
 
 
 %files -n stb_vorbis-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_vorbis.c
 %{_includedir}/stb_vorbis.c
 
 
 %files -n stb_voxel_render-devel
 %license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_voxel_render.h
 %{_includedir}/stb_voxel_render.h