From 65c1abd0fa3da424f071c67fb6fa6a3a22897d7c Mon Sep 17 00:00:00 2001 From: peijiankang Date: Wed, 8 May 2024 11:08:26 +0800 Subject: [PATCH] Patch for GHSL-2023-171/CVE-2023-45681/CVE-2023-47212 (cherry picked from commit 3705866be3e78f9d77f9b64237a7286315becc76) --- 1559.patch | 25 +++++++++++++++++++++++++ stb.spec | 34 ++++++++++++++++++++++------------ 2 files changed, 47 insertions(+), 12 deletions(-) create mode 100644 1559.patch diff --git a/1559.patch b/1559.patch new file mode 100644 index 0000000..195a43a --- /dev/null +++ b/1559.patch @@ -0,0 +1,25 @@ +From 3741e6fea656d3f1b9578d59f14d8945aea92a10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= +Date: Thu, 19 Oct 2023 17:07:26 +0200 +Subject: [PATCH] Out of bounds heap buffer write + (`GHSL-2023-171/CVE-2023-45681`) + +--- + stb_vorbis.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/stb_vorbis.c b/stb_vorbis.c +index 3e5c2504c0..6ebd7dcb95 100644 +--- a/stb_vorbis.c ++++ b/stb_vorbis.c +@@ -3661,6 +3661,10 @@ static int start_decoder(vorb *f) + f->comment_list = NULL; + if (f->comment_list_length > 0) + { ++ if (INT_MAX / sizeof(char*) < f->comment_list_length) { ++ f->comment_list_length = 0; ++ return error(f, VORBIS_outofmem); ++ } + f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length)); + if (f->comment_list == NULL) return error(f, VORBIS_outofmem); + } diff --git a/stb.spec b/stb.spec index cae171d..67d66b5 100644 --- a/stb.spec +++ b/stb.spec @@ -23,7 +23,7 @@ Name: stb # https://github.com/nothings/stb/issues/1101 %global snapinfo .20220908git8b5f1f3 Version: 0%{snapinfo} -Release: 0.15 +Release: 0.16 Summary: Single-file public domain libraries for C/C++ # See LICENSE. @@ -129,7 +129,7 @@ Patch08: 1230.patch # # Fix Null pointer dereference in stbi__convert_format # https://github.com/nothings/stb/pull/1547 -Patch: 1454.patch +Patch09: 1454.patch # Fix integer overflow # https://github.com/nothings/stb/pull/1530 @@ -138,7 +138,7 @@ Patch: 1454.patch # # Integer overflow in stbi__convert_8_to_16 # https://github.com/nothings/stb/issues/1529 -Patch: 1530.patch +Patch10: 1530.patch # Add overflow checks # https://github.com/nothings/stb/pull/1532 @@ -147,7 +147,7 @@ Patch: 1530.patch # # Integer overflow in stbi__load_gif_main # https://github.com/nothings/stb/issues/1531 -Patch: 1532.patch +Patch11: 1532.patch # Fix int overflow # https://github.com/nothings/stb/pull/1534 @@ -156,7 +156,7 @@ Patch: 1532.patch # # Integer overflow in stbi__jpeg_decode_block # https://github.com/nothings/stb/pull/1533 -Patch: 1534.patch +Patch12: 1534.patch # Fix wild address read in stbi__gif_load_next # https://github.com/nothings/stb/pull/1539 @@ -165,7 +165,7 @@ Patch: 1534.patch # # Wild address read in stbi__gif_load_next (GHSL-2023-145/CVE-2023-45661) # https://github.com/nothings/stb/issues/1538 -Patch: 1539.patch +Patch13: 1539.patch # Fix multi-byte read heap buffer overflow in stbi__vertical_flip # https://github.com/nothings/stb/pull/1541 @@ -175,7 +175,7 @@ Patch: 1539.patch # Multi-byte read heap buffer overflow in stbi__vertical_flip # (GHSL-2023-146/CVE-2023-45662) # https://github.com/nothings/stb/issues/1540 -Patch: 1541.patch +Patch14: 1541.patch # Fix disclosure of uninitialized memory in stbi__tga_load # https://github.com/nothings/stb/pull/1543 @@ -185,7 +185,7 @@ Patch: 1541.patch # Disclosure of uninitialized memory in stbi__tga_load # (GHSL-2023-147/CVE-2023-45663) # https://github.com/nothings/stb/issues/1542 -Patch: 1543.patch +Patch15: 1543.patch # Fix double-free in stbi__load_gif_main_outofmem # https://github.com/nothings/stb/pull/1545 @@ -196,7 +196,7 @@ Patch: 1543.patch # https://github.com/nothings/stb/issues/1544 # # Rebased on top of https://github.com/nothings/stb/pull/1539. -Patch: 0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch +Patch16: 0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch # Fix possible double-free or memory leak in stbi__load_gif_main # https://github.com/nothings/stb/pull/1549 @@ -209,7 +209,7 @@ Patch: 0001-Fix-double-free-in-stbi__load_gif_main_outofmem.patch # # Rebased on top of https://github.com/nothings/stb/pull/1539 and # https://github.com/nothings/stb/pull/1545. -Patch: 0002-Fix-possible-double-free-or-memory-leak-in-stbi__loa.patch +Patch17: 0002-Fix-possible-double-free-or-memory-leak-in-stbi__loa.patch # Fix Null pointer dereference because of an uninitialized variable # https://github.com/nothings/stb/pull/1551 @@ -221,7 +221,7 @@ Patch: 0002-Fix-possible-double-free-or-memory-leak-in-stbi__loa.patch # https://github.com/nothings/stb/issues/1550 # # Rebased on top of https://github.com/nothings/stb/pull/1541. -Patch: 0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch +Patch18: 0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch # Fix 0 byte write heap buffer overflow in start_decoder # https://github.com/nothings/stb/pull/1553 @@ -231,12 +231,19 @@ Patch: 0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch # 0 byte write heap buffer overflow in start_decoder # (GHSL-2023-165/CVE-2023-45675) # https://github.com/nothings/stb/issues/1552 -Patch: %{url}/pull/1553.patch +Patch19: 1553.patch %ifarch riscv64 Patch1000: fix-build-on-riscv64.patch %endif +# Out of bounds heap buffer write (GHSL-2023-171/CVE-2023-45681) +# https://github.com/nothings/stb/pull/1559 +# Fixes CVE-2023-45681 and duplicate CVE-2023-47212 +# https://bugzilla.redhat.com/show_bug.cgi?id=2278402 +Patch20: 1559.patch + + %global stb_c_lexer_version 0.12 %global stb_connected_components_version 0.96 %global stb_c_lexer_version 0.12 @@ -994,6 +1001,9 @@ EOF %changelog +* Wed May 08 2024 peijiankang - 0.20220908git8b5f1f3-0.16 +- Patch for GHSL-2023-171/CVE-2023-45681/CVE-2023-47212 + * Thu Mar 28 2024 misaka00251 - 0.20220908git8b5f1f3-0.15 - Add new line to riscv64 patch to avoid build issue -- Gitee