From c5c3ceaa0b59f9bd51528790249eb586a8b5281c Mon Sep 17 00:00:00 2001
From: peijiankang <peijiankang@kylinos.cn>
Date: Wed, 28 Feb 2024 10:22:02 +0800
Subject: [PATCH] fix CVE-2023-45662 CVE-2023-45663

---
 1541.patch | 25 +++++++++++++++++++++++++
 1543.patch | 38 ++++++++++++++++++++++++++++++++++++++
 stb.spec   | 28 +++++++++++++++++++++++++++-
 3 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 1541.patch
 create mode 100644 1543.patch

diff --git a/1541.patch b/1541.patch
new file mode 100644
index 0000000..9c3ce5d
--- /dev/null
+++ b/1541.patch
@@ -0,0 +1,25 @@
+From 973cdc889deaae2b97d1bdf9b793b96be02b9b3c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:03:41 +0200
+Subject: [PATCH] Fix multi-byte read heap buffer overflow in
+ stbi__vertical_flip
+
+Fixes #1540
+---
+ stb_image.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..49c53d092 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1447,7 +1447,8 @@ STBIDEF stbi_uc *stbi_load_gif_from_memory(stbi_uc const *buffer, int len, int *
+ 
+    result = (unsigned char*) stbi__load_gif_main(&s, delays, x, y, z, comp, req_comp);
+    if (stbi__vertically_flip_on_load) {
+-      stbi__vertical_flip_slices( result, *x, *y, *z, *comp );
++      int channels = req_comp ? req_comp : *comp;
++      stbi__vertical_flip_slices( result, *x, *y, *z, channels );
+    }
+ 
+    return result;
diff --git a/1543.patch b/1543.patch
new file mode 100644
index 0000000..62bcf37
--- /dev/null
+++ b/1543.patch
@@ -0,0 +1,38 @@
+From 20f77a9b7f53624014e8c7224eeb182674111bcb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 16:10:45 +0200
+Subject: [PATCH] Fix disclosure of uninitialized memory in stbi__tga_load
+
+Fixes #1542
+---
+ stb_image.h | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..7db6dd3df 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -5933,7 +5933,10 @@ static void *stbi__tga_load(stbi__context *s, int *x, int *y, int *comp, int req
+       for (i=0; i < tga_height; ++i) {
+          int row = tga_inverted ? tga_height -i - 1 : i;
+          stbi_uc *tga_row = tga_data + row*tga_width*tga_comp;
+-         stbi__getn(s, tga_row, tga_width * tga_comp);
++         if(!stbi__getn(s, tga_row, tga_width * tga_comp)) {
++            STBI_FREE(tga_data);
++            return stbi__errpuc("bad palette", "Corrupt TGA");
++         }
+       }
+    } else  {
+       //   do I need to load a palette?
+@@ -7218,7 +7221,10 @@ static float *stbi__hdr_load(stbi__context *s, int *x, int *y, int *comp, int re
+          for (i=0; i < width; ++i) {
+             stbi_uc rgbe[4];
+            main_decode_loop:
+-            stbi__getn(s, rgbe, 4);
++            if (!stbi__getn(s, rgbe, 4)) {
++               STBI_FREE(hdr_data);
++               return stbi__errpf("invalid decoded scanline length", "corrupt HDR");
++            }
+             stbi__hdr_convert(hdr_data + j * width * req_comp + i * req_comp, rgbe, req_comp);
+          }
+       }
diff --git a/stb.spec b/stb.spec
index e7a3b52..7b50c05 100644
--- a/stb.spec
+++ b/stb.spec
@@ -23,7 +23,7 @@ Name:           stb
 #   https://github.com/nothings/stb/issues/1101
 %global snapinfo .20220908git8b5f1f3
 Version:        0%{snapinfo}
-Release:        0.8
+Release:        0.10
 Summary:        Single-file public domain libraries for C/C++
 
 # See LICENSE.
@@ -167,6 +167,26 @@ Patch:          1534.patch
 # https://github.com/nothings/stb/issues/1538
 Patch:          1539.patch
 
+# Fix multi-byte read heap buffer overflow in stbi__vertical_flip
+# https://github.com/nothings/stb/pull/1541
+#
+# Fixes:
+#
+# Multi-byte read heap buffer overflow in stbi__vertical_flip
+# (GHSL-2023-146/CVE-2023-45662)
+# https://github.com/nothings/stb/issues/1540
+Patch:          1541.patch
+
+# Fix disclosure of uninitialized memory in stbi__tga_load
+# https://github.com/nothings/stb/pull/1543
+#
+# Fixes:
+#
+# Disclosure of uninitialized memory in stbi__tga_load
+# (GHSL-2023-147/CVE-2023-45663)
+# https://github.com/nothings/stb/issues/1542
+Patch:          1543.patch
+
 # Fix double-free in stbi__load_gif_main_outofmem
 # https://github.com/nothings/stb/pull/1545
 #
@@ -933,6 +953,12 @@ EOF
 
 
 %changelog
+* Wed Feb 28 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.10
+- stb_image: fix GHSL-2023-146 / fix CVE-2023-45662
+
+* Tue Feb 27 2024 peijiankang <peijiankang@kylinos.cn> - 0.20220908git8b5f1f3-0.9
+- stb_image: fix GHSL-2023-147 / fix CVE-2023-45663
+
 * Thu Nov 23 2023 douyan <douyan@kylinos.cn> - 0.20220908git8b5f1f3-0.8
 - add patch 0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch fix CVE-2023-45664
 
-- 
Gitee