fix CVE-2023-45661

(cherry picked from commit dac1cbe36dc51a2734a21d50aba5af37dc74f44d)

1530.patch

@@ -0,0 +1,24 @@
+From f100bfc302c0e095856c71a174714cce0a22e30a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:30:26 +0200
+Subject: [PATCH] Fix integer overflow
+
+Cast to `size_t` to avoid multiplication overflow.
+Fixes #1529
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..552129bc4 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1207,7 +1207,7 @@ static stbi__uint16 *stbi__convert_8_to_16(stbi_uc *orig, int w, int h, int chan
+    int img_len = w * h * channels;
+    stbi__uint16 *enlarged;
+ 
+-   enlarged = (stbi__uint16 *) stbi__malloc(img_len*2);
++   enlarged = (stbi__uint16 *) stbi__malloc(((size_t)img_len)*2);
+    if (enlarged == NULL) return (stbi__uint16 *) stbi__errpuc("outofmem", "Out of memory");
+ 
+    for (i = 0; i < img_len; ++i)

1532.patch

@@ -0,0 +1,36 @@
+From 178e1ab7684c46f233082a4f15308a54c9ae5a15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:38:33 +0200
+Subject: [PATCH] Add overflow checks
+
+Fixes #1531
+---
+ stb_image.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..aac3653ac 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -6990,6 +6990,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+             stride = g.w * g.h * 4;
+ 
+             if (out) {
++               if (!stbi__mul2sizes_valid(layers, stride)) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                  return ret;
++               }
+                void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride );
+                if (!tmp)
+                   return stbi__load_gif_main_outofmem(&g, out, delays);
+@@ -7006,6 +7010,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+                   delays_size = layers * sizeof(int);
+                }
+             } else {
++               if (!stbi__mul2sizes_valid(layers, stride)) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                  return ret;
++               }
+                out = (stbi_uc*)stbi__malloc( layers * stride );
+                if (!out)
+                   return stbi__load_gif_main_outofmem(&g, out, delays);

1534.patch

@@ -0,0 +1,23 @@
+From d66d0fe8c1a6ed393817791e4376374fa7f4ecc1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:42:23 +0200
+Subject: [PATCH] Fix int overflow
+
+Fixes #1533
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..6d63ab32b 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -2222,7 +2222,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
+    dc = j->img_comp[b].dc_pred + diff;
+    j->img_comp[b].dc_pred = dc;
+    if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
+-   data[0] = (short) (dc * dequant[0]);
++   data[0] = (short) ((size_t)dc * dequant[0]);
+ 
+    // decode AC components, see JPEG spec
+    k = 1;

1539.patch

@@ -0,0 +1,24 @@
+From 8cfcbf7dde7705c849f4f7a5acb26f79b895fffe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:57:03 +0200
+Subject: [PATCH] Fix wild address read in stbi__gif_load_next
+
+It seems `layers` were forgotten to include in equation.
+Fixes #1538
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..cd09ab697 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -7019,7 +7019,7 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+             }
+             memcpy( out + ((layers - 1) * stride), u, stride );
+             if (layers >= 2) {
+-               two_back = out - 2 * stride;
++               two_back = out + (layers - 2) * stride;
+             }
+ 
+             if (delays) {

stb.spec

@@ -23,7 +23,7 @@ Name:           stb
 #   https://github.com/nothings/stb/issues/1101
 %global snapinfo .20220908git8b5f1f3
 Version:        0%{snapinfo}
-Release:        0.6
+Release:        0.7
 Summary:        Single-file public domain libraries for C/C++
 
 # See LICENSE.
@@ -131,6 +131,43 @@ Patch08:        1230.patch
 # https://github.com/nothings/stb/pull/1547
 Patch:          1454.patch
 
+# Fix integer overflow
+# https://github.com/nothings/stb/pull/1530
+#
+# Fixes:
+#
+# Integer overflow in stbi__convert_8_to_16
+# https://github.com/nothings/stb/issues/1529
+Patch:          1530.patch
+
+# Add overflow checks
+# https://github.com/nothings/stb/pull/1532
+#
+# Fixes:
+#
+# Integer overflow in stbi__load_gif_main
+# https://github.com/nothings/stb/issues/1531
+Patch:          1532.patch
+
+# Fix int overflow
+# https://github.com/nothings/stb/pull/1534
+#
+# Fixes:
+#
+# Integer overflow in stbi__jpeg_decode_block
+# https://github.com/nothings/stb/pull/1533
+Patch:          1534.patch
+
+# Fix wild address read in stbi__gif_load_next
+# https://github.com/nothings/stb/pull/1539
+#
+# Fixes:
+#
+# Wild address read in stbi__gif_load_next (GHSL-2023-145/CVE-2023-45661)
+# https://github.com/nothings/stb/issues/1538
+Patch:          1539.patch
+
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94
@@ -886,6 +923,9 @@ EOF
 
 
 %changelog
+* Fri Nov 10 2023 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.7
+- stb_image: fix GHSL-2023-145 / fix CVE-2023-45661
+
 * Fri Nov 10 2023 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.6
 - Document that 1454.patch fixes CVE-2023-43898