From fa8aa3f1e0b799e1556a45605701a26e493efa02 Mon Sep 17 00:00:00 2001
From: fandeyuan <fandeyuan@kylinos.cn>
Date: Tue, 9 Sep 2025 15:06:47 +0800
Subject: [PATCH] Fix root-cause of CVE-2021-45340 : dereference of NULL ptr.

---
 1736.patch | 43 +++++++++++++++++++++++++++++++++++++++++++
 stb.spec   |  9 ++++++++-
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 1736.patch

diff --git a/1736.patch b/1736.patch
new file mode 100644
index 0000000..862890a
--- /dev/null
+++ b/1736.patch
@@ -0,0 +1,43 @@
+From 724a10527964762fde9e79f38413aed4166b456e Mon Sep 17 00:00:00 2001
+From: Henner Zeller <h.zeller@acm.org>
+Date: Thu, 9 Jan 2025 08:57:50 -0800
+Subject: [PATCH] Fix root-cause of CVE-2021-45340 : dereference of NULL
+ptr.
+ 
+Originally reported in libsixel
+(https://github.com/libsixel/libsixel/issues/51
+and https://github.com/libsixel/libsixel/issues/73) also as
+https://nvd.nist.gov/vuln/detail/CVE-2021-45340
+ 
+Fixed there by locally patching stb
+https://github.com/libsixel/libsixel/commit/c8c7f1b1cab7bd556f54787a5e409d2ddf86ea9f
+ 
+Hereby fixing upstream.
+---
+ stb_image.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index fff0518..a53b977 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -97,7 +97,7 @@ RECENT REVISION HISTORY:
+  Bug & warning fixes
+     Marc LeBlanc            David Woo          Guillaume George     Martins Mozeiko
+     Christpher Lloyd        Jerry Jansson      Joseph Thomson       Blazej Dariusz Roszkowski
+-    Phil Jordan                                Dave Moore           Roy Eltham
++    Phil Jordan             Henner Zeller      Dave Moore           Roy Eltham
+     Hayaki Saito            Nathan Reed        Won Chun
+     Luke Graham             Johan Duparc       Nick Verigakis       the Horde3D community
+     Thomas Ruf              Ronny Chevalier                         github:rlyeh
+@@ -1755,6 +1755,7 @@ static unsigned char *stbi__convert_format(unsigned char *data, int img_n, int r
+    int i,j;
+    unsigned char *good;
+ 
++   if (data == NULL) return data;
+    if (req_comp == img_n) return data;
+    STBI_ASSERT(req_comp >= 1 && req_comp <= 4);
+ 
+-- 
+2.43.0
+
diff --git a/stb.spec b/stb.spec
index 8fb5bc0..72c65bc 100644
--- a/stb.spec
+++ b/stb.spec
@@ -23,7 +23,7 @@ Name:           stb
 #   https://github.com/nothings/stb/issues/1101
 %global snapinfo .20220908git8b5f1f3
 Version:        0%{snapinfo}
-Release:        0.17
+Release:        0.18
 Summary:        Single-file public domain libraries for C/C++
 
 # See LICENSE.
@@ -241,6 +241,10 @@ Patch1000:      fix-build-on-riscv64-and-loongarch64.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2278402
 Patch20:        1559.patch
 
+# Fix root-cause of CVE-2021-45340 : dereference of NULL ptr.
+# https://github.com/nothings/stb/pull/1736
+Patch21:        1736.patch
+
 
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
@@ -999,6 +1003,9 @@ EOF
 
 
 %changelog
+* Tue Sep 09 2025 Deyuan Fan <fandeyuan@kylinos.cn> - 0.20220908git8b5f1f3-0.18
+- Fix root-cause of CVE-2021-45340 : dereference of NULL ptr.
+
 * Fri Jun 28 2024 zhangxianting <zhangxianting@uniontech.com> - 0.20220908git8b5f1f3-0.17
 - Fix build error at loongarch64
 
-- 
Gitee