From 6719c00391142ab9bc75be69e31402ee90db7969 Mon Sep 17 00:00:00 2001
From: "Benjamin A. Beasley" <code@musicinmybrain.net>
Date: Thu, 9 Jan 2025 15:15:42 -0500
Subject: [PATCH] Patch root cause of CVE-2021-45340

---
 1736.patch | 36 ++++++++++++++++++++++++++++++++++++
 stb.spec   |  4 ++++
 2 files changed, 40 insertions(+)
 create mode 100644 1736.patch

diff --git a/1736.patch b/1736.patch
new file mode 100644
index 0000000..3eeddeb
--- /dev/null
+++ b/1736.patch
@@ -0,0 +1,36 @@
+From 724a10527964762fde9e79f38413aed4166b456e Mon Sep 17 00:00:00 2001
+From: Henner Zeller <h.zeller@acm.org>
+Date: Thu, 9 Jan 2025 08:57:50 -0800
+Subject: [PATCH] Fix root-cause of CVE-2021-45340 : dereference of NULL ptr.
+
+Originally reported in libsixel (https://github.com/libsixel/libsixel/issues/51
+and https://github.com/libsixel/libsixel/issues/73) also as https://nvd.nist.gov/vuln/detail/CVE-2021-45340
+
+Fixed there by locally patching stb https://github.com/libsixel/libsixel/commit/c8c7f1b1cab7bd556f54787a5e409d2ddf86ea9f
+
+Hereby fixing upstream.
+---
+ stb_image.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 9eedabedc..4a435555e 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -100,7 +100,7 @@ RECENT REVISION HISTORY:
+  Bug & warning fixes
+     Marc LeBlanc            David Woo          Guillaume George     Martins Mozeiko
+     Christpher Lloyd        Jerry Jansson      Joseph Thomson       Blazej Dariusz Roszkowski
+-    Phil Jordan                                Dave Moore           Roy Eltham
++    Phil Jordan             Henner Zeller      Dave Moore           Roy Eltham
+     Hayaki Saito            Nathan Reed        Won Chun
+     Luke Graham             Johan Duparc       Nick Verigakis       the Horde3D community
+     Thomas Ruf              Ronny Chevalier                         github:rlyeh
+@@ -1757,6 +1757,7 @@ static unsigned char *stbi__convert_format(unsigned char *data, int img_n, int r
+    int i,j;
+    unsigned char *good;
+ 
++   if (data == NULL) return data;
+    if (req_comp == img_n) return data;
+    STBI_ASSERT(req_comp >= 1 && req_comp <= 4);
+ 
diff --git a/stb.spec b/stb.spec
index d71e06d..3becaea 100644
--- a/stb.spec
+++ b/stb.spec
@@ -196,6 +196,10 @@ Patch: fix-riscv64-compile-uintptr.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2278402
 Patch:          %{url}/pull/1559.patch
 
+# Fix root-cause of CVE-2021-45340 : dereference of NULL ptr.
+# https://github.com/nothings/stb/pull/1736
+Patch:          %{url}/pull/1736.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94