Remove patch number

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

.gitignore

@@ -2,3 +2,7 @@
 /stb-c0c982601f40183e74d84a61237e968dca08380e.tar.gz
 /stb-af1a5bc352164740c1cc1354942b1c6b72eacb8a.tar.gz
 /stb-8b5f1f37b5b75829fc72d38e7b5d4bcbf8a26d55.tar.gz
+/stb-6199bf77130da41fd424722eeb7a8db4d766c4c6.tar.gz
+/stb-5736b15f7ea0ffb08dd38af21067c314d6a3aae9.tar.gz
+/stb-c4bbb6e75f688318b2df2b70c2df2d641c1a8481.tar.gz
+/stb-beebb24b945efdea3b9bba23affb8eb3ba8982e7.tar.gz

0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch

@@ -0,0 +1,27 @@
+From 800a684d6d3cae7ed2437a23496d9306c0dfa8dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:33:06 +0200
+Subject: [PATCH] Fix Null pointer dereference because of an uninitialized
+ variable
+
+Call `stbi__vertical_flip_slices` only if the previous function didn't fail. Fixes #1550
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 49c53d0..de12c06 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1446,7 +1446,7 @@ STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int *
+    stbi__start_mem(&s,buffer,len);
+ 
+    result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
+-   if (stbi__vertically_flip_on_load) {
++   if (stbi__vertically_flip_on_load && result) {
+       int channels = req_comp ? req_comp : *comp;
+       stbi__vertical_flip_slices( result, *x, *y, *z, channels );
+    }
+-- 
+2.41.0
+

0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch

@@ -0,0 +1,28 @@
+From 4a4c1eeb8540c61ceb3456b3277184bc1c63c9be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:16:34 +0200
+Subject: [PATCH 1/2] Fix double-free in stbi__load_gif_main_outofmem
+
+Fixes #1544
+---
+ stb_image.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/stb_image.h b/stb_image.h
+index aac3653..d3a1f59 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -6990,6 +6990,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+             stride = g.w * g.h * 4;
+ 
+             if (out) {
++               if (stride == 0) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                  return ret;
++               }
+                if (!stbi__mul2sizes_valid(layers, stride)) {
+                   void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
+                   return ret;
+-- 
+2.41.0
+

0002-Fix-possible-double-free-or-memory-leak-in-stbi__loa.patch

@@ -0,0 +1,46 @@
+From 33c3c202425daea456520f92846b37da6a83e1c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:29:56 +0200
+Subject: [PATCH 2/2] Fix possible double-free or memory leak in
+ stbi__load_gif_main
+
+Fixes #1548
+---
+ stb_image.h | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index d3a1f59..df4ff95 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -6999,8 +6999,11 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+                   return ret;
+                }
+                void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride );
+-               if (!tmp)
+-                  return stbi__load_gif_main_outofmem(&g, out, delays);
++               if (!tmp) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                 if (delays && *delays) *delays = 0;
++                 return ret;
++              }
+                else {
+                    out = (stbi_uc*) tmp;
+                    out_size = layers * stride;
+@@ -7019,8 +7022,11 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+                   return ret;
+                }
+                out = (stbi_uc*)stbi__malloc( layers * stride );
+-               if (!out)
+-                  return stbi__load_gif_main_outofmem(&g, out, delays);
++               if (!out) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                 if (delays && *delays) *delays = 0;
++                 return ret;
++              }
+                out_size = layers * stride;
+                if (delays) {
+                   *delays = (int*) stbi__malloc( layers * sizeof(int) );
+-- 
+2.41.0
+

1223.patch

@@ -1,59 +0,0 @@
-From 8075c3442ffeadab7594e1fe3ad13344f9c9c783 Mon Sep 17 00:00:00 2001
-From: Neil Bickford <nbickford@nvidia.com>
-Date: Thu, 7 Oct 2021 13:00:32 -0700
-Subject: [PATCH] Fixes two stb_image issues that could occur with specially
- constructed HDR and PGM files.
-
-Signed-off-by: Neil Bickford <nbickford@nvidia.com>
----
- stb_image.h | 17 ++++++++++++-----
- 1 file changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/stb_image.h b/stb_image.h
-index d60371b95..8518c05e7 100644
---- a/stb_image.h
-+++ b/stb_image.h
-@@ -108,7 +108,7 @@ RECENT REVISION HISTORY:
-     Cass Everitt            Ryamond Barbiero                        github:grim210
-     Paul Du Bois            Engin Manap        Aldo Culquicondor    github:sammyhw
-     Philipp Wiesemann       Dale Weiler        Oriol Ferrer Mesia   github:phprus
--    Josh Tobin                                 Matthew Gregan       github:poppolopoppo
-+    Josh Tobin              Neil Bickford      Matthew Gregan       github:poppolopoppo
-     Julian Raschke          Gregory Mullen     Christian Floisand   github:darealshinji
-     Baldur Karlsson         Kevin Schmidt      JR Smith             github:Michaelangel007
-                             Brad Weinberger    Matvey Cherevko      github:mosra
-@@ -7187,12 +7187,12 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
-                   // Run
-                   value = stbi__get8(s);
-                   count -= 128;
--                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
-+                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
-                   for (z = 0; z < count; ++z)
-                      scanline[i++ * 4 + k] = value;
-                } else {
-                   // Dump
--                  if (count > nleft) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
-+                  if ((count == 0) || (count > nleft)) { STBI_FREE(hdr_data); STBI_FREE(scanline); return stbi__errpf("corrupt", "bad RLE data in HDR"); }
-                   for (z = 0; z < count; ++z)
-                      scanline[i++ * 4 + k] = stbi__get8(s);
-                }
-@@ -7446,10 +7446,17 @@ static void *stbi__pnm_load(stbi__context *s, int *x, int *y, int *comp, int req
- 
-    out = (stbi_uc *) stbi__malloc_mad4(s->img_n, s->img_x, s->img_y, ri->bits_per_channel / 8, 0);
-    if (!out) return stbi__errpuc("outofmem", "Out of memory");
--   stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8));
-+   if (!stbi__getn(s, out, s->img_n * s->img_x * s->img_y * (ri->bits_per_channel / 8))) {
-+      STBI_FREE(out);
-+      return stbi__errpuc("bad PNM", "PNM file truncated");
-+   }
- 
-    if (req_comp && req_comp != s->img_n) {
--      out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
-+      if (ri->bits_per_channel == 16) {
-+         out = (stbi_uc *) stbi__convert_format16((stbi__uint16 *) out, s->img_n, req_comp, s->img_x, s->img_y);
-+      } else {
-+         out = stbi__convert_format(out, s->img_n, req_comp, s->img_x, s->img_y);
-+      }
-       if (out == NULL) return out; // stbi__convert_format frees input on failure
-    }
-    return out;

1297.patch

@@ -1,244 +0,0 @@
-From fa43122a169eb79ced5789f2f261cee7fd4db221 Mon Sep 17 00:00:00 2001
-From: Neil Bickford <nbickford@nvidia.com>
-Date: Tue, 22 Feb 2022 23:48:42 -0800
-Subject: [PATCH 1/4] Add checks for PNM integer read overflows, add a 1GB
- limit on IDAT chunk sizes to fix an OOM issue, and check for a situation
- where a sequence of bad Huffman code reads could result in a left shift by a
- negative number.
-
----
- stb_image.h | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/stb_image.h b/stb_image.h
-index d60371b95..6321f5e02 100644
---- a/stb_image.h
-+++ b/stb_image.h
-@@ -2283,6 +2283,7 @@ static int stbi__jpeg_decode_block_prog_ac(stbi__jpeg *j, short data[64], stbi__
-             k += (r >> 4) & 15; // run
-             s = r & 15; // combined length
-             j->code_buffer <<= s;
-+            if (s > j->code_bits) return stbi__err("bad huffman code","Combined length longer than code bits available");
-             j->code_bits -= s;
-             zig = stbi__jpeg_dezigzag[k++];
-             data[zig] = (short) ((r >> 8) * (1 << shift));
-@@ -5116,6 +5117,7 @@ static int stbi__parse_png_file(stbi__png *z, int scan, int req_comp)
-             if (first) return stbi__err("first not IHDR", "Corrupt PNG");
-             if (pal_img_n && !pal_len) return stbi__err("no PLTE","Corrupt PNG");
-             if (scan == STBI__SCAN_header) { s->img_n = pal_img_n; return 1; }
-+            if (c.length > (1u << 30)) return stbi__err("IDAT size limit", "IDAT section larger than 2^30 bytes");
-             if ((int)(ioff + c.length) < (int)ioff) return 0;
-             if (ioff + c.length > idata_limit) {
-                stbi__uint32 idata_limit_old = idata_limit;
-@@ -7486,6 +7488,8 @@ static int      stbi__pnm_getinteger(stbi__context *s, char *c)
-    while (!stbi__at_eof(s) && stbi__pnm_isdigit(*c)) {
-       value = value*10 + (*c - '0');
-       *c = (char) stbi__get8(s);
-+      if((value > 214748364) || (value == 214748364 && *c > '7'))
-+          return stbi__err("integer parse overflow", "Parsing an integer in the PPM header overflowed a 32-bit int");
-    }
- 
-    return value;
-@@ -7516,9 +7520,13 @@ static int      stbi__pnm_info(stbi__context *s, int *x, int *y, int *comp)
-    stbi__pnm_skip_whitespace(s, &c);
- 
-    *x = stbi__pnm_getinteger(s, &c); // read width
-+   if(*x == 0)
-+       return stbi__err("invalid width", "PPM image header had zero or overflowing width");
-    stbi__pnm_skip_whitespace(s, &c);
- 
-    *y = stbi__pnm_getinteger(s, &c); // read height
-+   if (*y == 0)
-+       return stbi__err("invalid width", "PPM image header had zero or overflowing width");
-    stbi__pnm_skip_whitespace(s, &c);
- 
-    maxv = stbi__pnm_getinteger(s, &c);  // read max value
-
-From 83739b31eeddaaf683948051661ece39af6795cd Mon Sep 17 00:00:00 2001
-From: Neil Bickford <nbickford@nvidia.com>
-Date: Wed, 23 Feb 2022 00:53:34 -0800
-Subject: [PATCH 2/4] Add range checks to fix a few crash issues in stb_image
- issues 1289 and 1291
-
----
- stb_image.h | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/stb_image.h b/stb_image.h
-index 6321f5e02..800c83db3 100644
---- a/stb_image.h
-+++ b/stb_image.h
-@@ -1985,9 +1985,12 @@ static int stbi__build_huffman(stbi__huffman *h, int *count)
-    int i,j,k=0;
-    unsigned int code;
-    // build size list for each symbol (from JPEG spec)
--   for (i=0; i < 16; ++i)
--      for (j=0; j < count[i]; ++j)
-+   for (i=0; i < 16; ++i) {
-+      for (j=0; j < count[i]; ++j) {
-          h->size[k++] = (stbi_uc) (i+1);
-+         if(k >= 257) return stbi__err("bad size list","Corrupt JPEG");
-+      }
-+   }
-    h->size[k] = 0;
- 
-    // compute actual symbols (from jpeg spec)
-@@ -2112,6 +2115,8 @@ stbi_inline static int stbi__jpeg_huff_decode(stbi__jpeg *j, stbi__huffman *h)
- 
-    // convert the huffman code to the symbol id
-    c = ((j->code_buffer >> (32 - k)) & stbi__bmask[k]) + h->delta[k];
-+   if(c < 0 || c >= 256) // symbol id out of bounds!
-+       return -1;
-    STBI_ASSERT((((j->code_buffer) >> (32 - h->size[c])) & stbi__bmask[h->size[c]]) == h->code[c]);
- 
-    // convert the id to a symbol
-@@ -3103,6 +3108,7 @@ static int stbi__process_marker(stbi__jpeg *z, int m)
-                sizes[i] = stbi__get8(z->s);
-                n += sizes[i];
-             }
-+            if(n > 256) return stbi__err("bad DHT header","Corrupt JPEG"); // Loop over i < n would write past end of values!
-             L -= 17;
-             if (tc == 0) {
-                if (!stbi__build_huffman(z->huff_dc+th, sizes)) return 0;
-
-From 2cdd738fd112e11bec8d7b2ee96449741a203ee2 Mon Sep 17 00:00:00 2001
-From: Neil Bickford <nbickford@nvidia.com>
-Date: Wed, 23 Feb 2022 23:48:49 -0800
-Subject: [PATCH 3/4] Add checks for signed integer overflow; further guard
- against cases where stbi__grow_buffer_unsafe doesn't read all bits required.
-
----
- stb_image.h | 27 ++++++++++++++++++++++++++-
- 1 file changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/stb_image.h b/stb_image.h
-index 800c83db3..9d10099bb 100644
---- a/stb_image.h
-+++ b/stb_image.h
-@@ -1063,6 +1063,23 @@ static void *stbi__malloc_mad4(int a, int b, int c, int d, int add)
- }
- #endif
- 
-+// returns 1 if the sum of two signed ints is valid (between -2^31 and 2^31-1 inclusive), 0 on overflow.
-+static int stbi__addints_valid(int a, int b)
-+{
-+   if ((a >= 0) != (b >= 0)) return 1; // a and b have different signs, so no overflow
-+   if (a < 0 && b < 0) return a >= INT_MIN - b; // same as a + b >= INT_MIN; INT_MIN - b cannot overflow since b < 0.
-+   return a <= INT_MAX - b;
-+}
-+
-+// returns 1 if the product of two signed shorts is valid, 0 on overflow.
-+static int stbi__mul2shorts_valid(short a, short b)
-+{
-+   if (b == 0 || b == -1) return 1; // multiplication by 0 is always 0; check for -1 so SHRT_MIN/b doesn't overflow
-+   if ((a >= 0) == (b >= 0)) return a <= SHRT_MAX/b; // product is positive, so similar to mul2sizes_valid
-+   if (b < 0) return a <= SHRT_MIN / b; // same as a * b >= SHRT_MIN
-+   return a >= SHRT_MIN / b;
-+}
-+
- // stbi__err - error
- // stbi__errpf - error returning pointer to float
- // stbi__errpuc - error returning pointer to unsigned char
-@@ -2135,6 +2152,7 @@ stbi_inline static int stbi__extend_receive(stbi__jpeg *j, int n)
-    unsigned int k;
-    int sgn;
-    if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
-+   if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
- 
-    sgn = j->code_buffer >> 31; // sign bit always in MSB; 0 if MSB clear (positive), 1 if MSB set (negative)
-    k = stbi_lrot(j->code_buffer, n);
-@@ -2149,6 +2167,7 @@ stbi_inline static int stbi__jpeg_get_bits(stbi__jpeg *j, int n)
- {
-    unsigned int k;
-    if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
-+   if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
-    k = stbi_lrot(j->code_buffer, n);
-    j->code_buffer = k & ~stbi__bmask[n];
-    k &= stbi__bmask[n];
-@@ -2160,6 +2179,7 @@ stbi_inline static int stbi__jpeg_get_bit(stbi__jpeg *j)
- {
-    unsigned int k;
-    if (j->code_bits < 1) stbi__grow_buffer_unsafe(j);
-+   if (j->code_bits < 1) return 0; // ran out of bits from stream, return 0s intead of continuing
-    k = j->code_buffer;
-    j->code_buffer <<= 1;
-    --j->code_bits;
-@@ -2197,8 +2217,10 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
-    memset(data,0,64*sizeof(data[0]));
- 
-    diff = t ? stbi__extend_receive(j, t) : 0;
-+   if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta","Corrupt JPEG");
-    dc = j->img_comp[b].dc_pred + diff;
-    j->img_comp[b].dc_pred = dc;
-+   if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
-    data[0] = (short) (dc * dequant[0]);
- 
-    // decode AC components, see JPEG spec
-@@ -2212,6 +2234,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
-       if (r) { // fast-AC path
-          k += (r >> 4) & 15; // run
-          s = r & 15; // combined length
-+         if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
-          j->code_buffer <<= s;
-          j->code_bits -= s;
-          // decode into unzigzag'd location
-@@ -2251,8 +2274,10 @@ static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__
-       if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
-       diff = t ? stbi__extend_receive(j, t) : 0;
- 
-+      if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta", "Corrupt JPEG");
-       dc = j->img_comp[b].dc_pred + diff;
-       j->img_comp[b].dc_pred = dc;
-+      if (!stbi__mul2shorts_valid(dc, 1 << j->succ_low)) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
-       data[0] = (short) (dc * (1 << j->succ_low));
-    } else {
-       // refinement scan for DC coefficient
-@@ -2287,8 +2312,8 @@ static int stbi__jpeg_decode_block_prog_ac(stbi__jpeg *j, short data[64], stbi__
-          if (r) { // fast-AC path
-             k += (r >> 4) & 15; // run
-             s = r & 15; // combined length
-+            if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
-             j->code_buffer <<= s;
--            if (s > j->code_bits) return stbi__err("bad huffman code","Combined length longer than code bits available");
-             j->code_bits -= s;
-             zig = stbi__jpeg_dezigzag[k++];
-             data[zig] = (short) ((r >> 8) * (1 << shift));
-
-From 51e438b04b50eb98540f6df6057004214e9cc81c Mon Sep 17 00:00:00 2001
-From: Neil Bickford <nbickford@nvidia.com>
-Date: Fri, 25 Feb 2022 14:27:31 -0800
-Subject: [PATCH 4/4] Zero-initialize stbi__jpeg to avoid intermittent errors
- found by fuzz-testing
-
----
- stb_image.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/stb_image.h b/stb_image.h
-index 9d10099bb..631e4e51c 100644
---- a/stb_image.h
-+++ b/stb_image.h
-@@ -4008,6 +4008,7 @@ static void *stbi__jpeg_load(stbi__context *s, int *x, int *y, int *comp, int re
-    unsigned char* result;
-    stbi__jpeg* j = (stbi__jpeg*) stbi__malloc(sizeof(stbi__jpeg));
-    if (!j) return stbi__errpuc("outofmem", "Out of memory");
-+   memset(j, 0, sizeof(stbi__jpeg));
-    STBI_NOTUSED(ri);
-    j->s = s;
-    stbi__setup_jpeg(j);
-@@ -4021,6 +4022,7 @@ static int stbi__jpeg_test(stbi__context *s)
-    int r;
-    stbi__jpeg* j = (stbi__jpeg*)stbi__malloc(sizeof(stbi__jpeg));
-    if (!j) return stbi__err("outofmem", "Out of memory");
-+   memset(j, 0, sizeof(stbi__jpeg));
-    j->s = s;
-    stbi__setup_jpeg(j);
-    r = stbi__decode_jpeg_header(j, STBI__SCAN_type);
-@@ -4046,6 +4048,7 @@ static int stbi__jpeg_info(stbi__context *s, int *x, int *y, int *comp)
-    int result;
-    stbi__jpeg* j = (stbi__jpeg*) (stbi__malloc(sizeof(stbi__jpeg)));
-    if (!j) return stbi__err("outofmem", "Out of memory");
-+   memset(j, 0, sizeof(stbi__jpeg));
-    j->s = s;
-    result = stbi__jpeg_info_raw(j, x, y, comp);
-    STBI_FREE(j);

1454.patch

@@ -0,0 +1,24 @@
+From 4e58258d8c434111fe2e8f1146ae0a72b0e8c554 Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Sat, 25 Feb 2023 05:13:25 -0800
+Subject: [PATCH] Fix nullptr dereference when a PIC file causes
+ stbi__pic_load_core to return 0, and the requested number of components to
+ stbi_load_from_memory is not 0 or 4
+
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..7e6ddeefd 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -6527,7 +6527,7 @@ static void *stbi__pic_load(stbi__context *s,int *px,int *py,int *comp,int req_c
+ 
+    if (!stbi__pic_load_core(s,x,y,comp, result)) {
+       STBI_FREE(result);
+-      result=0;
++      return 0;
+    }
+    *px = x;
+    *py = y;

1530.patch

@@ -0,0 +1,24 @@
+From f100bfc302c0e095856c71a174714cce0a22e30a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:30:26 +0200
+Subject: [PATCH] Fix integer overflow
+
+Cast to `size_t` to avoid multiplication overflow.
+Fixes #1529
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..552129bc4 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1207,7 +1207,7 @@ static stbi__uint16 *stbi__convert_8_to_16(stbi_uc *orig, int w, int h, int chan
+    int img_len = w * h * channels;
+    stbi__uint16 *enlarged;
+ 
+-   enlarged = (stbi__uint16 *) stbi__malloc(img_len*2);
++   enlarged = (stbi__uint16 *) stbi__malloc(((size_t)img_len)*2);
+    if (enlarged == NULL) return (stbi__uint16 *) stbi__errpuc("outofmem", "Out of memory");
+ 
+    for (i = 0; i < img_len; ++i)

1532.patch

@@ -0,0 +1,36 @@
+From 178e1ab7684c46f233082a4f15308a54c9ae5a15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:38:33 +0200
+Subject: [PATCH] Add overflow checks
+
+Fixes #1531
+---
+ stb_image.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..aac3653ac 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -6990,6 +6990,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+             stride = g.w * g.h * 4;
+ 
+             if (out) {
++               if (!stbi__mul2sizes_valid(layers, stride)) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                  return ret;
++               }
+                void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride );
+                if (!tmp)
+                   return stbi__load_gif_main_outofmem(&g, out, delays);
+@@ -7006,6 +7010,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+                   delays_size = layers * sizeof(int);
+                }
+             } else {
++               if (!stbi__mul2sizes_valid(layers, stride)) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                  return ret;
++               }
+                out = (stbi_uc*)stbi__malloc( layers * stride );
+                if (!out)
+                   return stbi__load_gif_main_outofmem(&g, out, delays);

1534.patch

@@ -0,0 +1,23 @@
+From d66d0fe8c1a6ed393817791e4376374fa7f4ecc1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:42:23 +0200
+Subject: [PATCH] Fix int overflow
+
+Fixes #1533
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..6d63ab32b 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -2222,7 +2222,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
+    dc = j->img_comp[b].dc_pred + diff;
+    j->img_comp[b].dc_pred = dc;
+    if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
+-   data[0] = (short) (dc * dequant[0]);
++   data[0] = (short) ((size_t)dc * dequant[0]);
+ 
+    // decode AC components, see JPEG spec
+    k = 1;

1539.patch

@@ -0,0 +1,24 @@
+From 8cfcbf7dde7705c849f4f7a5acb26f79b895fffe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:57:03 +0200
+Subject: [PATCH] Fix wild address read in stbi__gif_load_next
+
+It seems `layers` were forgotten to include in equation.
+Fixes #1538
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..cd09ab697 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -7019,7 +7019,7 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+             }
+             memcpy( out + ((layers - 1) * stride), u, stride );
+             if (layers >= 2) {
+-               two_back = out - 2 * stride;
++               two_back = out + (layers - 2) * stride;
+             }
+ 
+             if (delays) {

1541.patch

@@ -0,0 +1,25 @@
+From 973cdc889deaae2b97d1bdf9b793b96be02b9b3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:03:41 +0200
+Subject: [PATCH] Fix multi-byte read heap buffer overflow in
+ stbi__vertical_flip
+
+Fixes #1540
+---
+ stb_image.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..49c53d092 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1447,7 +1447,8 @@ STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int *
+ 
+    result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
+    if (stbi__vertically_flip_on_load) {
+-      stbi__vertical_flip_slices( result, *x, *y, *z, *comp );
++      int channels = req_comp ? req_comp : *comp;
++      stbi__vertical_flip_slices( result, *x, *y, *z, channels );
+    }
+ 
+    return result;

1543.patch

@@ -0,0 +1,38 @@
+From 20f77a9b7f53624014e8c7224eeb182674111bcb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:10:45 +0200
+Subject: [PATCH] Fix disclosure of uninitialized memory in stbi__tga_load
+
+Fixes #1542
+---
+ stb_image.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..7db6dd3df 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -5933,7 +5933,10 @@ static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req
+       for (i=0; i < tga_height; ++i) {
+          int row = tga_inverted ? tga_height -i - 1 : i;
+          stbi_uc *tga_row = tga_data + row*tga_width*tga_comp;
+-         stbi__getn(s, tga_row, tga_width * tga_comp);
++         if(!stbi__getn(s, tga_row, tga_width * tga_comp)) {
++            STBI_FREE(tga_data);
++            return stbi__errpuc("bad palette", "Corrupt TGA");
++         }
+       }
+    } else  {
+       //   do I need to load a palette?
+@@ -7218,7 +7221,10 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
+          for (i=0; i < width; ++i) {
+             stbi_uc rgbe[4];
+            main_decode_loop:
+-            stbi__getn(s, rgbe, 4);
++            if (!stbi__getn(s, rgbe, 4)) {
++               STBI_FREE(hdr_data);
++               return stbi__errpf("invalid decoded scanline length", "corrupt HDR");
++            }
+             stbi__hdr_convert(hdr_data + j * width * req_comp + i * req_comp, rgbe, req_comp);
+          }
+       }

1553.patch

@@ -0,0 +1,22 @@
+From 746d207256ef408d92112a13a75aa8a42df6753f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:39:06 +0200
+Subject: [PATCH] Fix  `0` byte write heap buffer overflow in `start_decoder`
+
+Fixes #1552
+---
+ stb_vorbis.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/stb_vorbis.c b/stb_vorbis.c
+index 3e5c2504c0..8bc21de6b7 100644
+--- a/stb_vorbis.c
++++ b/stb_vorbis.c
+@@ -952,6 +952,7 @@ static void *setup_malloc(vorb *f, int sz)
+    sz = (sz+7) & ~7; // round up to nearest 8 for alignment of future allocs.
+    f->setup_memory_required += sz;
+    if (f->alloc.alloc_buffer) {
++      if (sz == 0) return NULL;
+       void *p = (char *) f->alloc.alloc_buffer + f->setup_offset;
+       if (f->setup_offset + sz > f->temp_offset) return NULL;
+       f->setup_offset += sz;

1561.patch

@@ -0,0 +1,28 @@
+From 6e715778416b229799f85b49fa3ffc0400428f89 Mon Sep 17 00:00:00 2001
+From: "Jeff Roberts (LA)" <jeffr@radgametools.com>
+Date: Thu, 19 Oct 2023 17:42:58 -0700
+Subject: [PATCH] Fixed asan error on tiny input images
+
+---
+ stb_image_resize2.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/stb_image_resize2.h b/stb_image_resize2.h
+index e0c428246..1d7bed5bd 100644
+--- a/stb_image_resize2.h
++++ b/stb_image_resize2.h
+@@ -1,4 +1,4 @@
+-/* stb_image_resize2 - v2.01 - public domain image resizing
++/* stb_image_resize2 - v2.02 - public domain image resizing
+    
+    by Jeff Roberts (v2) and Jorge L Rodriguez 
+    http://github.com/nothings/stb
+@@ -3697,7 +3697,7 @@ static int stbir__pack_coefficients( int num_contributors, stbir__contributors*
+     float * coeffs = coefficents + widest * ( num_contributors - 1 );
+ 
+     // go until no chance of clipping (this is usually less than 8 lops)
+-    while ( ( ( contribs->n0 + widest*2 ) >= row_width ) && ( contribs >= contributors ) )
++    while ( ( contribs >= contributors ) && ( ( contribs->n0 + widest*2 ) >= row_width ) )
+     {
+       // might we clip??
+       if ( ( contribs->n0 + widest ) > row_width )

fix-riscv64-compile-uintptr.patch

@@ -0,0 +1,13 @@
+diff --git a/stb_sprintf.h b/stb_sprintf.h
+index ca432a6..fb49e4d 100644
+--- a/stb_sprintf.h
++++ b/stb_sprintf.h
+@@ -230,7 +230,7 @@ STBSP__PUBLICDEC void STB_SPRINTF_DECORATE(set_separators)(char comma, char peri
+ #define stbsp__uint16 unsigned short
+ 
+ #ifndef stbsp__uintptr
+-#if defined(__ppc64__) || defined(__powerpc64__) || defined(__aarch64__) || defined(_M_X64) || defined(__x86_64__) || defined(__x86_64) || defined(__s390x__)
++#if defined(__ppc64__) || defined(__powerpc64__) || defined(__aarch64__) || defined(_M_X64) || defined(__x86_64__) || defined(__x86_64) || defined(__s390x__) || defined(__LP64__) || (defined(__riscv) && __riscv_xlen == 64)
+ #define stbsp__uintptr stbsp__uint64
+ #else
+ #define stbsp__uintptr stbsp__uint32

sources

@@ -1 +1 @@
-SHA512 (stb-8b5f1f37b5b75829fc72d38e7b5d4bcbf8a26d55.tar.gz) = 76e0ed7536146aac71f89d6246235221c1dc0bd035ae4b33d496213acf5be95413cae4455a3f1419f84113320f7bd662dc50b47788cbdc8e7208bbbbcfd23f98
+SHA512 (stb-beebb24b945efdea3b9bba23affb8eb3ba8982e7.tar.gz) = 83f09092340f158772c467d2069309c06a7c888d710ea651a974d7be47391d78be36b76e4ad32a38972da5e78561ea8fa13a9e20a81c1b89ff00e8f3dd73c8ed

stb.spec

@@ -1,5 +1,5 @@
-%global commit 8b5f1f37b5b75829fc72d38e7b5d4bcbf8a26d55
-%global snapdate 20220908
+%global commit beebb24b945efdea3b9bba23affb8eb3ba8982e7
+%global snapdate 20231011
 
 # We choose not to package the “stb_include” library (stb_include.h) because,
 # during the package review, it was observed that it follows coding practices
@@ -9,22 +9,22 @@
 # - It uses of strcat/strcpy into a fixed-length buffer that is assumed (but
 #   not proven) to be large enough for all possible uses
 # - It ignores I/O errors (possibly leading to undefined behavior from reading
-#   uninitialized memory), and so on. Making it
+#   uninitialized memory), and so on.
 #
 # A substantial rewrite would be required to mitigate these concerns. If a
 # request for this library arises, this decision may be revisited, or the
 # necessary rewrite may be done and offered upstream. For now, we omit the
 # library and expect it will not be missed.
-%bcond_with stb_include
+%bcond stb_include 0
 
 Name:           stb
 # While the individual header-only libraries are versioned, the overall
 # collection is not, and there are no releases. See:
 #   https://github.com/nothings/stb/issues/359
 #   https://github.com/nothings/stb/issues/1101
-%global snapinfo ^%{snapdate}git%(echo '%{commit}' | cut -b -7)
+%global snapinfo ^%{snapdate}git%(c='%{commit}'; echo "${c:0:7}")
 Version:        0%{snapinfo}
-Release:        %autorelease -p
+Release:        %autorelease -e 0.riscv64
 Summary:        Single-file public domain libraries for C/C++
 
 # See LICENSE.
@@ -36,7 +36,7 @@ License:        MIT OR Unlicense
 #   tests/caveview/win32/SDL_windows_main.c are Public Domain
 # - tests/caveview/glext.h is MIT (only)
 URL:            https://github.com/nothings/stb
-Source0:        %{url}/archive/%{commit}/stb-%{commit}.tar.gz
+Source:         %{url}/archive/%{commit}/stb-%{commit}.tar.gz
 
 # Fix undefined behavior from array “shape-punning”
 # https://github.com/nothings/stb/pull/1194
@@ -54,34 +54,8 @@ Patch:          %{url}/pull/1196.patch
 # https://github.com/nothings/stb/pull/1198
 Patch:          %{url}/pull/1198.patch
 
-# Candidate fix for:
-# https://nvd.nist.gov/vuln/detail/CVE-2021-42715
-#
-# In stb_image's HDR reader, loading a specially constructed invalid HDR file
-# can result in an infinite loop within the RLE decoder
-# https://github.com/nothings/stb/issues/1224
-#
-# ----
-#
-# Additionally, this is a candidate fix for:
-# https://nvd.nist.gov/vuln/detail/CVE-2021-42716
-#
-# stbi__pnm_load heap-buffer-overflow bug
-# https://github.com/nothings/stb/issues/1166
-#
-# In stb_image's PNM reader, loading a specially constructed valid 16-bit PGM
-# file with 4 channels can cause a crash due to an out-of-bounds read
-# https://github.com/nothings/stb/issues/1225
-#
-# ----
-#
-# Fixes a crash and an infinite loop in stb_image that could occur with
-# specially constructed PGM and HDR files
-# https://github.com/nothings/stb/pull/1223
-Patch:          %{url}/pull/1223.patch
-
 # Forward declare stbhw__process struct to fix warnings
-# https://github.com/nothings/stb/pull/1225
+# https://github.com/nothings/stb/pull/1236
 #
 # We don’t see these warnings in the “compile tests”, but we can reproduce them
 # by manually compiling tests/herringbone_map.c; a real user of the
@@ -89,21 +63,138 @@ Patch:          %{url}/pull/1223.patch
 # patch shows it to be correct.
 Patch:          %{url}/pull/1236.patch
 
-# Candidate fix for:
-# https://nvd.nist.gov/vuln/detail/CVE-2022-28041
+# Fixes null pointer dereference in https://github.com/nothings/stb/issues/1452
+# https://github.com/nothings/stb/pull/1454
 #
-# stb_image.h v2.27 was discovered to contain an integer overflow via the
-# function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers
-# to cause a Denial of Service (DoS) via unspecified vectors.
+# Fixes:
 #
-# UBSAN: integer overflow
-# https://github.com/nothings/stb/issues/1292
+# NULL pointer dereference in the stb_image.h
+# https://github.com/nothings/stb/issues/1452
+# NULL pointer derefence in PIC loading (CVE-2023-43898)
+# https://github.com/nothings/stb/issues/1521
+# Null pointer dereference in stbi__convert_format (GHSL-2023-149)
+# https://github.com/nothings/stb/issues/1546
 #
-# ----
+# An alternative and equivalent patch is:
 #
-# Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292, and 1293
-# https://github.com/nothings/stb/pull/1297
-Patch:          %{url}/pull/1297.patch
+# Fix Null pointer dereference in stbi__convert_format
+# https://github.com/nothings/stb/pull/1547
+Patch:          %{url}/pull/1454.patch
+
+# Fixed asan error on tiny input images
+# https://github.com/nothings/stb/pull/1561
+#
+# Fixes:
+#
+# stb_image_resize2.h: Address Sanitizer error
+# https://github.com/nothings/stb/issues/1526
+Patch:          %{url}/pull/1561.patch
+
+# Fix integer overflow
+# https://github.com/nothings/stb/pull/1530
+#
+# Fixes:
+#
+# Integer overflow in stbi__convert_8_to_16
+# https://github.com/nothings/stb/issues/1529
+Patch:          %{url}/pull/1530.patch
+
+# Add overflow checks
+# https://github.com/nothings/stb/pull/1532
+#
+# Fixes:
+#
+# Integer overflow in stbi__load_gif_main
+# https://github.com/nothings/stb/issues/1531
+Patch:          %{url}/pull/1532.patch
+
+# Fix int overflow
+# https://github.com/nothings/stb/pull/1534
+#
+# Fixes:
+#
+# Integer overflow in stbi__jpeg_decode_block
+# https://github.com/nothings/stb/pull/1533
+Patch:          %{url}/pull/1534.patch
+
+# Fix wild address read in stbi__gif_load_next
+# https://github.com/nothings/stb/pull/1539
+#
+# Fixes:
+#
+# Wild address read in stbi__gif_load_next (GHSL-2023-145/CVE-2023-45661)
+# https://github.com/nothings/stb/issues/1538
+Patch:          %{url}/pull/1539.patch
+
+# Fix multi-byte read heap buffer overflow in stbi__vertical_flip
+# https://github.com/nothings/stb/pull/1541
+#
+# Fixes:
+#
+# Multi-byte read heap buffer overflow in stbi__vertical_flip
+# (GHSL-2023-146/CVE-2023-45662)
+# https://github.com/nothings/stb/issues/1540
+Patch:          %{url}/pull/1541.patch
+
+# Fix disclosure of uninitialized memory in stbi__tga_load
+# https://github.com/nothings/stb/pull/1543
+#
+# Fixes:
+#
+# Disclosure of uninitialized memory in stbi__tga_load
+# (GHSL-2023-147/CVE-2023-45663)
+# https://github.com/nothings/stb/issues/1542
+Patch:          %{url}/pull/1543.patch
+
+# Fix double-free in stbi__load_gif_main_outofmem
+# https://github.com/nothings/stb/pull/1545
+#
+# Fixes:
+#
+# Double-free in stbi__load_gif_main_outofmem (GHSL-2023-148/CVE-2023-45664)
+# https://github.com/nothings/stb/issues/1544
+#
+# Rebased on top of https://github.com/nothings/stb/pull/1539.
+Patch:          0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch
+
+# Fix possible double-free or memory leak in stbi__load_gif_main
+# https://github.com/nothings/stb/pull/1549
+#
+# Fixes:
+#
+# Possible double-free or memory leak in stbi__load_gif_main
+# (GHSL-2023-150/CVE-2023-45666)
+# https://github.com/nothings/stb/issues/1548
+#
+# Rebased on top of https://github.com/nothings/stb/pull/1539 and
+# https://github.com/nothings/stb/pull/1545.
+Patch:          0002-Fix-possible-double-free-or-memory-leak-in-stbi__loa.patch
+
+# Fix Null pointer dereference because of an uninitialized variable
+# https://github.com/nothings/stb/pull/1551
+#
+# Fixes:
+#
+# Null pointer dereference because of an uninitialized variable
+# (GHSL-2023-151/CVE-2023-45667)
+# https://github.com/nothings/stb/issues/1550
+#
+# Rebased on top of https://github.com/nothings/stb/pull/1541.
+Patch:          0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch
+
+# Fix 0 byte write heap buffer overflow in start_decoder
+# https://github.com/nothings/stb/pull/1553
+#
+# Fixes:
+#
+# 0 byte write heap buffer overflow in start_decoder
+# (GHSL-2023-165/CVE-2023-45675)
+# https://github.com/nothings/stb/issues/1552
+Patch:          %{url}/pull/1553.patch
+
+
+# riscv64 compile fix
+Patch: fix-riscv64-compile-uintptr.patch
 
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
@@ -113,8 +204,9 @@ Patch:          %{url}/pull/1297.patch
 %global stb_easy_font_version 1.1
 %global stb_herringbone_wang_tile_version 0.7
 %global stb_hexwave_version 0.5
-%global stb_image_version 2.27
+%global stb_image_version 2.28
 %global stb_image_resize_version 0.97
+%global stb_image_resize2_version 2.02
 %global stb_image_write_version 1.16
 %global stb_include_version 0.2
 %global stb_leakcheck_version 0.6
@@ -165,8 +257,15 @@ Requires:       stb_hexwave-devel%{?_isa} = %{stb_hexwave_version}%{snapinfo}-%{
 Requires:       stb_hexwave-static = %{stb_hexwave_version}%{snapinfo}-%{release}
 Requires:       stb_image-devel%{?_isa} = %{stb_image_version}%{snapinfo}-%{release}
 Requires:       stb_image-static = %{stb_image_version}%{snapinfo}-%{release}
+# For compatibility, we still depend on the subpackages for the original,
+# deprecated-upstream stb_image_library in existing stable releases, but we
+# drop the dependendency going forward as an acknowledgement of its status.
+%if 0%{?fc39} || 0%{?fc38} || 0%{?fc37} || 0%{?el9} || 0%{?el8} || 0%{?el7}
 Requires:       stb_image_resize-devel%{?_isa} = %{stb_image_resize_version}%{snapinfo}-%{release}
 Requires:       stb_image_resize-static = %{stb_image_resize_version}%{snapinfo}-%{release}
+%endif
+Requires:       stb_image_resize2-devel%{?_isa} = %{stb_image_resize2_version}%{snapinfo}-%{release}
+Requires:       stb_image_resize2-static = %{stb_image_resize2_version}%{snapinfo}-%{release}
 Requires:       stb_image_write-devel%{?_isa} = %{stb_image_write_version}%{snapinfo}-%{release}
 Requires:       stb_image_write-static = %{stb_image_write_version}%{snapinfo}-%{release}
 %if %{with stb_include}
@@ -336,8 +435,11 @@ Primarily of interest to game developers and other people who can avoid
 problematic images and only need the trivial interface.
 
 
+# We still package (and have chosen not to deprecate) the original
+# stb_image_resize even though upstream has deprecated it. We do not want to
+# drive dependent packages back to bundling.
 %package -n stb_image_resize-devel
-Summary:        Resize images larger/smaller with good quality
+Summary:        Resize images larger/smaller with good quality (original version)
 Version:        %{stb_image_resize_version}%{snapinfo}
 
 Provides:       stb_image_resize-static = %{stb_image_resize_version}%{snapinfo}-%{release}
@@ -350,6 +452,19 @@ threads, so it be easily outperformed by libs that use those.) Only scaling and
 translation is supported, no rotations or shears. Easy API downsamples
 w/Mitchell filter, upsamples w/cubic interpolation.
 
+This is the original version of the stb_image_resize library. It has been
+deprecated by its developer; consider porting to stb_image_resize2 instead.
+
+
+%package -n stb_image_resize2-devel
+Summary:        Resize images larger/smaller with good quality
+Version:        %{stb_image_resize2_version}%{snapinfo}
+
+Provides:       stb_image_resize2-static = %{stb_image_resize2_version}%{snapinfo}-%{release}
+
+%description -n stb_image_resize2-devel
+Image resizing.
+
 
 %package -n stb_image_write-devel
 Summary:        Image writing to disk: PNG, TGA, BMP
@@ -595,7 +710,8 @@ find . -type f -name '*.exe' -print -delete
 # Remove some unused parts of the source tree that could contribute different
 # (but acceptable) license terms if they were used—just to prove that we do not
 # use them.
-rm -rvf deprecated tests/caveview
+rm -rvf tests/caveview
+find deprecated -type f ! -name 'stb_image_resize.h' -print -delete
 
 %if %{without stb_include}
 sed -r -i '/#include[[:blank:]]+"stb_include.h"/d' tests/test_c_compilation.c
@@ -605,7 +721,6 @@ sed -r -i '/#include[[:blank:]]+"stb_include.h"/d' tests/test_c_compilation.c
 %build
 # There is no compiled code to install, since all stb libraries are
 # header-only. We do need to build the tests.
-%set_build_flags
 %make_build -C tests
 
 
@@ -622,7 +737,8 @@ sed -r -i '/#include[[:blank:]]+"stb_include.h"/d' tests/test_c_compilation.c
 # as a symbolic link to the former. This means most projects can unbundle the
 # library without having to make their own local symlinks or patch their
 # sources.
-install -t '%{buildroot}%{_includedir}/stb' -p -m 0644 -D stb_*.h stb_*.c
+install -t '%{buildroot}%{_includedir}/stb' -p -m 0644 -D \
+    stb_*.h stb_*.c deprecated/stb_image_resize.h
 %if %{without stb_include}
 rm -vf '%{buildroot}%{_includedir}/stb/stb_include.h'
 %endif
@@ -671,6 +787,7 @@ done <<'EOF'
 %{stb_hexwave_version} stb_hexwave.h
 %{stb_image_version} stb_image.h
 %{stb_image_resize_version} stb_image_resize.h
+%{stb_image_resize2_version} stb_image_resize2.h
 %{stb_image_write_version} stb_image_write.h
 %{stb_include_version} stb_include.h
 %{stb_leakcheck_version} stb_leakcheck.h
@@ -776,6 +893,14 @@ EOF
 %{_includedir}/stb_image_resize.h
 
 
+%files -n stb_image_resize2-devel
+%license LICENSE
+# Directory has shared ownership across stb subpackages:
+%dir %{_includedir}/stb
+%{_includedir}/stb/stb_image_resize2.h
+%{_includedir}/stb_image_resize2.h
+
+
 %files -n stb_image_write-devel
 %license LICENSE
 # Directory has shared ownership across stb subpackages: