packages/stb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!18 [sync] PR-16: fix CVE-2023-45661

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @dou33 
Signed-off-by: @dou33
This commit is contained in:
openeuler-ci-bot 2023-11-23 01:28:01 +00:00 committed by Gitee
commit 222e89bfd6
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 148 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
1530.patch Normal file
View File

@ -0,0 +1,24 @@
From f100bfc302c0e095856c71a174714cce0a22e30a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Thu, 19 Oct 2023 15:30:26 +0200
Subject: [PATCH] Fix integer overflow
Cast to `size_t` to avoid multiplication overflow.
Fixes #1529
---
stb_image.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stb_image.h b/stb_image.h
index 5e807a0a6..552129bc4 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -1207,7 +1207,7 @@ static stbi__uint16 *stbi__convert_8_to_16(stbi_uc *orig, int w, int h, int chan
int img_len = w * h * channels;
stbi__uint16 *enlarged;
- enlarged = (stbi__uint16 *) stbi__malloc(img_len*2);
+ enlarged = (stbi__uint16 *) stbi__malloc(((size_t)img_len)*2);
if (enlarged == NULL) return (stbi__uint16 *) stbi__errpuc("outofmem", "Out of memory");
for (i = 0; i < img_len; ++i)

36
1532.patch Normal file
View File

@ -0,0 +1,36 @@
From 178e1ab7684c46f233082a4f15308a54c9ae5a15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Thu, 19 Oct 2023 15:38:33 +0200
Subject: [PATCH] Add overflow checks
Fixes #1531
---
stb_image.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/stb_image.h b/stb_image.h
index 5e807a0a6..aac3653ac 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -6990,6 +6990,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
stride = g.w * g.h * 4;
if (out) {
+ if (!stbi__mul2sizes_valid(layers, stride)) {
+ void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
+ return ret;
+ }
void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride );
if (!tmp)
return stbi__load_gif_main_outofmem(&g, out, delays);
@@ -7006,6 +7010,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
delays_size = layers * sizeof(int);
}
} else {
+ if (!stbi__mul2sizes_valid(layers, stride)) {
+ void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
+ return ret;
+ }
out = (stbi_uc*)stbi__malloc( layers * stride );
if (!out)
return stbi__load_gif_main_outofmem(&g, out, delays);

23
1534.patch Normal file
View File

@ -0,0 +1,23 @@
From d66d0fe8c1a6ed393817791e4376374fa7f4ecc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Thu, 19 Oct 2023 15:42:23 +0200
Subject: [PATCH] Fix int overflow
Fixes #1533
---
stb_image.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stb_image.h b/stb_image.h
index 5e807a0a6..6d63ab32b 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -2222,7 +2222,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
dc = j->img_comp[b].dc_pred + diff;
j->img_comp[b].dc_pred = dc;
if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
- data[0] = (short) (dc * dequant[0]);
+ data[0] = (short) ((size_t)dc * dequant[0]);
// decode AC components, see JPEG spec
k = 1;

24
1539.patch Normal file
View File

@ -0,0 +1,24 @@
From 8cfcbf7dde7705c849f4f7a5acb26f79b895fffe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
Date: Thu, 19 Oct 2023 15:57:03 +0200
Subject: [PATCH] Fix wild address read in stbi__gif_load_next
It seems `layers` were forgotten to include in equation.
Fixes #1538
---
stb_image.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/stb_image.h b/stb_image.h
index 5e807a0a6..cd09ab697 100644
--- a/stb_image.h
+++ b/stb_image.h
@@ -7019,7 +7019,7 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
}
memcpy( out + ((layers - 1) * stride), u, stride );
if (layers >= 2) {
- two_back = out - 2 * stride;
+ two_back = out + (layers - 2) * stride;
}
if (delays) {

42
stb.spec
View File

@ -23,7 +23,7 @@ Name: stb
# https://github.com/nothings/stb/issues/1101
%global snapinfo .20220908git8b5f1f3
Version: 0%{snapinfo}
Release: 0.6
Release: 0.7
Summary: Single-file public domain libraries for C/C++
# See LICENSE.
@ -131,6 +131,43 @@ Patch08: 1230.patch
# https://github.com/nothings/stb/pull/1547
Patch: 1454.patch
# Fix integer overflow
# https://github.com/nothings/stb/pull/1530
#
# Fixes:
#
# Integer overflow in stbi__convert_8_to_16
# https://github.com/nothings/stb/issues/1529
Patch: 1530.patch
# Add overflow checks
# https://github.com/nothings/stb/pull/1532
#
# Fixes:
#
# Integer overflow in stbi__load_gif_main
# https://github.com/nothings/stb/issues/1531
Patch: 1532.patch
# Fix int overflow
# https://github.com/nothings/stb/pull/1534
#
# Fixes:
#
# Integer overflow in stbi__jpeg_decode_block
# https://github.com/nothings/stb/pull/1533
Patch: 1534.patch
# Fix wild address read in stbi__gif_load_next
# https://github.com/nothings/stb/pull/1539
#
# Fixes:
#
# Wild address read in stbi__gif_load_next (GHSL-2023-145/CVE-2023-45661)
# https://github.com/nothings/stb/issues/1538
Patch: 1539.patch
%global stb_c_lexer_version 0.12
%global stb_connected_components_version 0.96
%global stb_divide_version 0.94
@ -886,6 +923,9 @@ EOF
%changelog
* Fri Nov 10 2023 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.7
- stb_image: fix GHSL-2023-145 / fix CVE-2023-45661
* Fri Nov 10 2023 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.6
- Document that 1454.patch fixes CVE-2023-43898