From 1daaa2903353736acd939cc7722c46f1b534d2f3 Mon Sep 17 00:00:00 2001
From: "Benjamin A. Beasley" <code@musicinmybrain.net>
Date: Wed, 25 Oct 2023 10:54:40 -0400
Subject: [PATCH] =?UTF-8?q?Backport=20three=20PR=E2=80=99s=20fixing=20unde?=
 =?UTF-8?q?fined=20behavior=20in=20stb=5Fimage?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 1530.patch | 24 ++++++++++++++++++++++++
 1532.patch | 36 ++++++++++++++++++++++++++++++++++++
 1534.patch | 23 +++++++++++++++++++++++
 stb.spec   | 27 +++++++++++++++++++++++++++
 4 files changed, 110 insertions(+)
 create mode 100644 1530.patch
 create mode 100644 1532.patch
 create mode 100644 1534.patch

diff --git a/1530.patch b/1530.patch
new file mode 100644
index 0000000..f2fe791
--- /dev/null
+++ b/1530.patch
@@ -0,0 +1,24 @@
+From f100bfc302c0e095856c71a174714cce0a22e30a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:30:26 +0200
+Subject: [PATCH] Fix integer overflow
+
+Cast to `size_t` to avoid multiplication overflow.
+Fixes #1529
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..552129bc4 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -1207,7 +1207,7 @@ static stbi__uint16 *stbi__convert_8_to_16(stbi_uc *orig, int w, int h, int chan
+    int img_len = w * h * channels;
+    stbi__uint16 *enlarged;
+ 
+-   enlarged = (stbi__uint16 *) stbi__malloc(img_len*2);
++   enlarged = (stbi__uint16 *) stbi__malloc(((size_t)img_len)*2);
+    if (enlarged == NULL) return (stbi__uint16 *) stbi__errpuc("outofmem", "Out of memory");
+ 
+    for (i = 0; i < img_len; ++i)
diff --git a/1532.patch b/1532.patch
new file mode 100644
index 0000000..d527d1d
--- /dev/null
+++ b/1532.patch
@@ -0,0 +1,36 @@
+From 178e1ab7684c46f233082a4f15308a54c9ae5a15 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:38:33 +0200
+Subject: [PATCH] Add overflow checks
+
+Fixes #1531
+---
+ stb_image.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..aac3653ac 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -6990,6 +6990,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+             stride = g.w * g.h * 4;
+ 
+             if (out) {
++               if (!stbi__mul2sizes_valid(layers, stride)) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                  return ret;
++               }
+                void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride );
+                if (!tmp)
+                   return stbi__load_gif_main_outofmem(&g, out, delays);
+@@ -7006,6 +7010,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
+                   delays_size = layers * sizeof(int);
+                }
+             } else {
++               if (!stbi__mul2sizes_valid(layers, stride)) {
++                  void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
++                  return ret;
++               }
+                out = (stbi_uc*)stbi__malloc( layers * stride );
+                if (!out)
+                   return stbi__load_gif_main_outofmem(&g, out, delays);
diff --git a/1534.patch b/1534.patch
new file mode 100644
index 0000000..a1278d6
--- /dev/null
+++ b/1534.patch
@@ -0,0 +1,23 @@
+From d66d0fe8c1a6ed393817791e4376374fa7f4ecc1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 15:42:23 +0200
+Subject: [PATCH] Fix int overflow
+
+Fixes #1533
+---
+ stb_image.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 5e807a0a6..6d63ab32b 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -2222,7 +2222,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
+    dc = j->img_comp[b].dc_pred + diff;
+    j->img_comp[b].dc_pred = dc;
+    if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
+-   data[0] = (short) (dc * dequant[0]);
++   data[0] = (short) ((size_t)dc * dequant[0]);
+ 
+    // decode AC components, see JPEG spec
+    k = 1;
diff --git a/stb.spec b/stb.spec
index b38f1a2..954915d 100644
--- a/stb.spec
+++ b/stb.spec
@@ -67,6 +67,33 @@ Patch:          %{url}/pull/1236.patch
 # https://github.com/nothings/stb/pull/1454
 Patch:          %{url}/pull/1454.patch
 
+# Fix integer overflow
+# https://github.com/nothings/stb/pull/1530
+#
+# Fixes:
+#
+# Integer overflow in stbi__convert_8_to_16
+# https://github.com/nothings/stb/issues/1529
+Patch:          %{url}/pull/1530.patch
+
+# Add overflow checks
+# https://github.com/nothings/stb/pull/1532
+#
+# Fixes:
+#
+# Integer overflow in stbi__load_gif_main
+# https://github.com/nothings/stb/issues/1531
+Patch:          %{url}/pull/1532.patch
+
+# Fix int overflow
+# https://github.com/nothings/stb/pull/1534
+#
+# Fixes:
+#
+# Integer overflow in stbi__jpeg_decode_block
+# https://github.com/nothings/stb/pull/1533
+Patch:          %{url}/pull/1534.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94