!53 [sync] PR-52: sync 24.04-LTS to 22.03-LTS

From: @openeuler-sync-bot 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang

0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch

@@ -0,0 +1,27 @@
+From 800a684d6d3cae7ed2437a23496d9306c0dfa8dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:33:06 +0200
+Subject: [PATCH] Fix Null pointer dereference because of an uninitialized
+ variable
+
+Call `stbi__vertical_flip_slices` only if the previous function didn't fail. Fixes #1550
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 49c53d0..de12c06 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1446,7 +1446,7 @@ STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int *
+    stbi__start_mem(&s,buffer,len);
+ 
+    result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
+-   if (stbi__vertically_flip_on_load) {
++   if (stbi__vertically_flip_on_load && result) {
+       int channels = req_comp ? req_comp : *comp;
+       stbi__vertical_flip_slices( result, *x, *y, *z, channels );
+    }
+-- 
+2.41.0
+

0002-Fix-possible-double-free-or-memory-leak-in-stbi__loa.patch

@@ -0,0 +1,46 @@
+From 33c3c202425daea456520f92846b37da6a83e1c0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:29:56 +0200
+Subject: [PATCH 2/2] Fix possible double-free or memory leak in
+ stbi__load_gif_main
+
+Fixes #1548
+---
+ stb_image.h | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index d3a1f59..df4ff95 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -6999,8 +6999,11 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+                   return ret;
+                }
+                void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride );
+-               if (!tmp)
+-                  return stbi__load_gif_main_outofmem(&g, out, delays);
++               if (!tmp) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                 if (delays && *delays) *delays = 0;
++                 return ret;
++              }
+                else {
+                    out = (stbi_uc*) tmp;
+                    out_size = layers * stride;
+@@ -7019,8 +7022,11 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+                   return ret;
+                }
+                out = (stbi_uc*)stbi__malloc( layers * stride );
+-               if (!out)
+-                  return stbi__load_gif_main_outofmem(&g, out, delays);
++               if (!out) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                 if (delays && *delays) *delays = 0;
++                 return ret;
++              }
+                out_size = layers * stride;
+                if (delays) {
+                   *delays = (int*) stbi__malloc( layers * sizeof(int) );
+-- 
+2.41.0
+

1541.patch

@@ -0,0 +1,25 @@
+From 973cdc889deaae2b97d1bdf9b793b96be02b9b3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:03:41 +0200
+Subject: [PATCH] Fix multi-byte read heap buffer overflow in
+ stbi__vertical_flip
+
+Fixes #1540
+---
+ stb_image.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..49c53d092 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1447,7 +1447,8 @@ STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int *
+ 
+    result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
+    if (stbi__vertically_flip_on_load) {
+-      stbi__vertical_flip_slices( result, *x, *y, *z, *comp );
++      int channels = req_comp ? req_comp : *comp;
++      stbi__vertical_flip_slices( result, *x, *y, *z, channels );
+    }
+ 
+    return result;

1543.patch

@@ -0,0 +1,38 @@
+From 20f77a9b7f53624014e8c7224eeb182674111bcb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:10:45 +0200
+Subject: [PATCH] Fix disclosure of uninitialized memory in stbi__tga_load
+
+Fixes #1542
+---
+ stb_image.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..7db6dd3df 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -5933,7 +5933,10 @@ static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req
+       for (i=0; i < tga_height; ++i) {
+          int row = tga_inverted ? tga_height -i - 1 : i;
+          stbi_uc *tga_row = tga_data + row*tga_width*tga_comp;
+-         stbi__getn(s, tga_row, tga_width * tga_comp);
++         if(!stbi__getn(s, tga_row, tga_width * tga_comp)) {
++            STBI_FREE(tga_data);
++            return stbi__errpuc("bad palette", "Corrupt TGA");
++         }
+       }
+    } else  {
+       //   do I need to load a palette?
+@@ -7218,7 +7221,10 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
+          for (i=0; i < width; ++i) {
+             stbi_uc rgbe[4];
+            main_decode_loop:
+-            stbi__getn(s, rgbe, 4);
++            if (!stbi__getn(s, rgbe, 4)) {
++               STBI_FREE(hdr_data);
++               return stbi__errpf("invalid decoded scanline length", "corrupt HDR");
++            }
+             stbi__hdr_convert(hdr_data + j * width * req_comp + i * req_comp, rgbe, req_comp);
+          }
+       }

1553.patch

@@ -0,0 +1,22 @@
+From 746d207256ef408d92112a13a75aa8a42df6753f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:39:06 +0200
+Subject: [PATCH] Fix  `0` byte write heap buffer overflow in `start_decoder`
+
+Fixes #1552
+---
+ stb_vorbis.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/stb_vorbis.c b/stb_vorbis.c
+index 3e5c2504c0..8bc21de6b7 100644
+--- a/stb_vorbis.c
++++ b/stb_vorbis.c
+@@ -952,6 +952,7 @@ static void *setup_malloc(vorb *f, int sz)
+    sz = (sz+7) & ~7; // round up to nearest 8 for alignment of future allocs.
+    f->setup_memory_required += sz;
+    if (f->alloc.alloc_buffer) {
++      if (sz == 0) return NULL;
+       void *p = (char *) f->alloc.alloc_buffer + f->setup_offset;
+       if (f->setup_offset + sz > f->temp_offset) return NULL;
+       f->setup_offset += sz;

1559.patch

@@ -0,0 +1,25 @@
+From 3741e6fea656d3f1b9578d59f14d8945aea92a10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 17:07:26 +0200
+Subject: [PATCH] Out of bounds heap buffer write
+ (`GHSL-2023-171/CVE-2023-45681`)
+
+---
+ stb_vorbis.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/stb_vorbis.c b/stb_vorbis.c
+index 3e5c2504c0..6ebd7dcb95 100644
+--- a/stb_vorbis.c
++++ b/stb_vorbis.c
+@@ -3661,6 +3661,10 @@ static int start_decoder(vorb *f)
+    f->comment_list = NULL;
+    if (f->comment_list_length > 0)
+    {
++      if (INT_MAX / sizeof(char*) < f->comment_list_length) {
++         f->comment_list_length = 0;
++         return error(f, VORBIS_outofmem);
++      }
+       f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length));
+       if (f->comment_list == NULL)                  return error(f, VORBIS_outofmem);
+    }

fix-build-on-riscv64.patch

@@ -0,0 +1,22 @@
+From 3cf93a58ad15d6d8a124dadca8fca3dbb2ea357c Mon Sep 17 00:00:00 2001
+From: Eric Long <i@hack3r.moe>
+Date: Sat, 23 Sep 2023 22:43:11 +0800
+Subject: [PATCH] Fix stbsp__uintptr on riscv64
+
+---
+ stb_sprintf.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_sprintf.h b/stb_sprintf.h
+index ca432a6bca..2add83e2a5 100644
+--- a/stb_sprintf.h
++++ b/stb_sprintf.h
+@@ -230,7 +230,7 @@ STBSP__PUBLICDEC void STB_SPRINTF_DECORATE(set_separators)(char comma, char peri
+ #define stbsp__uint16 unsigned short
+ 
+ #ifndef stbsp__uintptr
+-#if defined(__ppc64__) || defined(__powerpc64__) || defined(__aarch64__) || defined(_M_X64) || defined(__x86_64__) || defined(__x86_64) || defined(__s390x__)
++#if defined(__ppc64__) || defined(__powerpc64__) || defined(__aarch64__) || defined(_M_X64) || defined(__x86_64__) || defined(__x86_64) || defined(__s390x__) || defined(__riscv) && __riscv_xlen == 64
+ #define stbsp__uintptr stbsp__uint64
+ #else
+ #define stbsp__uintptr stbsp__uint32

stb.spec

@@ -23,7 +23,7 @@ Name:           stb
 #   https://github.com/nothings/stb/issues/1101
 %global snapinfo .20220908git8b5f1f3
 Version:        0%{snapinfo}
-Release:        0.8
+Release:        0.16
 Summary:        Single-file public domain libraries for C/C++
 
 # See LICENSE.
@@ -129,7 +129,7 @@ Patch08:        1230.patch
 #
 # Fix Null pointer dereference in stbi__convert_format
 # https://github.com/nothings/stb/pull/1547
-Patch:          1454.patch
+Patch09:        1454.patch
 
 # Fix integer overflow
 # https://github.com/nothings/stb/pull/1530
@@ -138,7 +138,7 @@ Patch:          1454.patch
 #
 # Integer overflow in stbi__convert_8_to_16
 # https://github.com/nothings/stb/issues/1529
-Patch:          1530.patch
+Patch10:        1530.patch
 
 # Add overflow checks
 # https://github.com/nothings/stb/pull/1532
@@ -147,7 +147,7 @@ Patch:          1530.patch
 #
 # Integer overflow in stbi__load_gif_main
 # https://github.com/nothings/stb/issues/1531
-Patch:          1532.patch
+Patch11:        1532.patch
 
 # Fix int overflow
 # https://github.com/nothings/stb/pull/1534
@@ -156,7 +156,7 @@ Patch:          1532.patch
 #
 # Integer overflow in stbi__jpeg_decode_block
 # https://github.com/nothings/stb/pull/1533
-Patch:          1534.patch
+Patch12:        1534.patch
 
 # Fix wild address read in stbi__gif_load_next
 # https://github.com/nothings/stb/pull/1539
@@ -165,7 +165,27 @@ Patch:          1534.patch
 #
 # Wild address read in stbi__gif_load_next (GHSL-2023-145/CVE-2023-45661)
 # https://github.com/nothings/stb/issues/1538
-Patch:          1539.patch
+Patch13:        1539.patch
+
+# Fix multi-byte read heap buffer overflow in stbi__vertical_flip
+# https://github.com/nothings/stb/pull/1541
+#
+# Fixes:
+#
+# Multi-byte read heap buffer overflow in stbi__vertical_flip
+# (GHSL-2023-146/CVE-2023-45662)
+# https://github.com/nothings/stb/issues/1540
+Patch14:        1541.patch
+
+# Fix disclosure of uninitialized memory in stbi__tga_load
+# https://github.com/nothings/stb/pull/1543
+#
+# Fixes:
+#
+# Disclosure of uninitialized memory in stbi__tga_load
+# (GHSL-2023-147/CVE-2023-45663)
+# https://github.com/nothings/stb/issues/1542
+Patch15:        1543.patch
 
 # Fix double-free in stbi__load_gif_main_outofmem
 # https://github.com/nothings/stb/pull/1545
@@ -176,8 +196,56 @@ Patch:          1539.patch
 # https://github.com/nothings/stb/issues/1544
 #
 # Rebased on top of https://github.com/nothings/stb/pull/1539.
-Patch:        0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch
+Patch16:        0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch
 
+# Fix possible double-free or memory leak in stbi__load_gif_main
+# https://github.com/nothings/stb/pull/1549
+#
+# Fixes:
+#
+# Possible double-free or memory leak in stbi__load_gif_main
+# (GHSL-2023-150/CVE-2023-45666)
+# https://github.com/nothings/stb/issues/1548
+#
+# Rebased on top of https://github.com/nothings/stb/pull/1539 and
+# https://github.com/nothings/stb/pull/1545.
+Patch17:        0002-Fix-possible-double-free-or-memory-leak-in-stbi__loa.patch
+
+# Fix Null pointer dereference because of an uninitialized variable
+# https://github.com/nothings/stb/pull/1551
+#
+# Fixes:
+#
+# Null pointer dereference because of an uninitialized variable
+# (GHSL-2023-151/CVE-2023-45667)
+# https://github.com/nothings/stb/issues/1550
+#
+# Rebased on top of https://github.com/nothings/stb/pull/1541.
+Patch18:        0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch
+
+# Fix 0 byte write heap buffer overflow in start_decoder
+# https://github.com/nothings/stb/pull/1553
+#
+# Fixes:
+#
+# 0 byte write heap buffer overflow in start_decoder
+# (GHSL-2023-165/CVE-2023-45675)
+# https://github.com/nothings/stb/issues/1552
+Patch19:        1553.patch
+
+%ifarch riscv64
+Patch1000:      fix-build-on-riscv64.patch
+%endif
+
+# Out of bounds heap buffer write (GHSL-2023-171/CVE-2023-45681)
+# https://github.com/nothings/stb/pull/1559
+# Fixes CVE-2023-45681 and duplicate CVE-2023-47212
+# https://bugzilla.redhat.com/show_bug.cgi?id=2278402
+Patch20:        1559.patch
+
+
+%global stb_c_lexer_version 0.12
+%global stb_connected_components_version 0.96
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94
@@ -933,6 +1001,30 @@ EOF
 
 
 %changelog
+* Wed May 08 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.16
+- Patch for GHSL-2023-171/CVE-2023-45681/CVE-2023-47212
+
+* Thu Mar 28 2024 misaka00251 <liuxin@iscas.ac.cn> - 0.20220908git8b5f1f3-0.15
+- Add new line to riscv64 patch to avoid build issue
+
+* Fri Mar 22 2024 misaka00251 <liuxin@iscas.ac.cn> - 0.20220908git8b5f1f3-0.14
+- Fix build on riscv64
+
+* Fri Mar 08 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.13
+- stb_vorbis: fix GHSL-2023-165 / fix CVE-2023-45675
+
+* Fri Mar 01 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.12
+- stb_image: fix GHSL-2023-151 / fix CVE-2023-45667
+
+* Thu Feb 29 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.11
+- stb_image: fix GHSL-2023-150 / fix CVE-2023-45666
+
+* Wed Feb 28 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.10
+- stb_image: fix GHSL-2023-146 / fix CVE-2023-45662
+
+* Tue Feb 27 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.9
+- stb_image: fix GHSL-2023-147 / fix CVE-2023-45663
+
 * Thu Nov 23 2023 douyan <douyan@kylinos.cn> - 0.20220908git8b5f1f3-0.8
 - add patch 0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch fix CVE-2023-45664