From 67ed2c4abc359a3c5b73111a191da721616db918 Mon Sep 17 00:00:00 2001
From: "Benjamin A. Beasley" <code@musicinmybrain.net>
Date: Wed, 30 Nov 2022 18:15:34 -0500
Subject: [PATCH] Patch in a candidate fix for ossfuzz issue 24232

- Improves handling of certain invalid PNGs by stb_image
---
 1230.patch | 32 ++++++++++++++++++++++++++++++++
 stb.spec   | 11 ++++++++++-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 1230.patch

diff --git a/1230.patch b/1230.patch
new file mode 100644
index 0000000..c4846bb
--- /dev/null
+++ b/1230.patch
@@ -0,0 +1,32 @@
+From b5d9d9719b001c67ca922df547a85a0fae364997 Mon Sep 17 00:00:00 2001
+From: Neil Bickford <nbickford@nvidia.com>
+Date: Fri, 15 Oct 2021 11:04:41 -0700
+Subject: [PATCH] stb_image PNG: Checks for invalid DEFLATE codes.
+
+Specifically, this rejects length codes 286 and 287, and distance codes 30 and 31.
+This avoids a scenario in which a file could contain a table in which
+0 corresponded to length code 287, which would result in writing 0 bits.
+
+Signed-off-by: Neil Bickford <nbickford@nvidia.com>
+---
+ stb_image.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index d60371b95..ab616c56d 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -4256,11 +4256,12 @@ static int stbi__parse_huffman_block(stbi__zbuf *a)
+             a->zout = zout;
+             return 1;
+          }
++         if (z >= 286) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, length codes 286 and 287 must not appear in compressed data
+          z -= 257;
+          len = stbi__zlength_base[z];
+          if (stbi__zlength_extra[z]) len += stbi__zreceive(a, stbi__zlength_extra[z]);
+          z = stbi__zhuffman_decode(a, &a->z_distance);
+-         if (z < 0) return stbi__err("bad huffman code","Corrupt PNG");
++         if (z < 0 || z >= 30) return stbi__err("bad huffman code","Corrupt PNG"); // per DEFLATE, distance codes 30 and 31 must not appear in compressed data
+          dist = stbi__zdist_base[z];
+          if (stbi__zdist_extra[z]) dist += stbi__zreceive(a, stbi__zdist_extra[z]);
+          if (zout - a->zout_start < dist) return stbi__err("bad dist","Corrupt PNG");
diff --git a/stb.spec b/stb.spec
index b489ba7..deaa0fb 100644
--- a/stb.spec
+++ b/stb.spec
@@ -101,10 +101,19 @@ Patch:          %{url}/pull/1236.patch
 #
 # ----
 #
-# Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292, and 1293
+# Additional stb_image fixes for bugs from ossfuzz and issues 1289, 1291, 1292,
+# and 1293
 # https://github.com/nothings/stb/pull/1297
 Patch:          %{url}/pull/1297.patch
 
+# stb_image PNG reader: Adds checks for invalid DEFLATE codes, fixing an
+# infinite loop found by ossfuzz.
+# https://github.com/nothings/stb/pull/1230
+#   Fixes:
+# Issue 24232: stb:stb_png_read_fuzzer: Timeout in stb_png_read_fuzzer
+# https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24232&q=proj%3Dstb
+Patch:          %{url}/pull/1230.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94