import stb-0^20240213gitae721c5-5.el9

SOURCES/1559.patch

@@ -0,0 +1,25 @@
+From 3741e6fea656d3f1b9578d59f14d8945aea92a10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 17:07:26 +0200
+Subject: [PATCH] Out of bounds heap buffer write
+ (`GHSL-2023-171/CVE-2023-45681`)
+
+---
+ stb_vorbis.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/stb_vorbis.c b/stb_vorbis.c
+index 3e5c2504c0..6ebd7dcb95 100644
+--- a/stb_vorbis.c
++++ b/stb_vorbis.c
+@@ -3661,6 +3661,10 @@ static int start_decoder(vorb *f)
+    f->comment_list = NULL;
+    if (f->comment_list_length > 0)
+    {
++      if (INT_MAX / sizeof(char*) < f->comment_list_length) {
++         f->comment_list_length = 0;
++         return error(f, VORBIS_outofmem);
++      }
+       f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length));
+       if (f->comment_list == NULL)                  return error(f, VORBIS_outofmem);
+    }

SOURCES/README.md

@@ -0,0 +1,3 @@
+# stb
+
+The stb package

SOURCES/fix-riscv64-compile-uintptr.patch

@@ -0,0 +1,13 @@
+diff --git a/stb_sprintf.h b/stb_sprintf.h
+index ca432a6..fb49e4d 100644
+--- a/stb_sprintf.h
++++ b/stb_sprintf.h
+@@ -230,7 +230,7 @@ STBSP__PUBLICDEC void STB_SPRINTF_DECORATE(set_separators)(char comma, char peri
+ #define stbsp__uint16 unsigned short
+ 
+ #ifndef stbsp__uintptr
+-#if defined(__ppc64__) || defined(__powerpc64__) || defined(__aarch64__) || defined(_M_X64) || defined(__x86_64__) || defined(__x86_64) || defined(__s390x__)
++#if defined(__ppc64__) || defined(__powerpc64__) || defined(__aarch64__) || defined(_M_X64) || defined(__x86_64__) || defined(__x86_64) || defined(__s390x__) || defined(__LP64__) || (defined(__riscv) && __riscv_xlen == 64)
+ #define stbsp__uintptr stbsp__uint64
+ #else
+ #define stbsp__uintptr stbsp__uint32

SOURCES/stb.rpmlintrc

@@ -0,0 +1,22 @@
+# Not real spelling errors
+#   - "trunc", "eucl", "qsort", "snprintf" are C function names
+#   - "va" and "args" are from "va_args"
+#   - "sprintfs" refers to "the various flavors of sprintf functions"
+#   - "ryg" is a username/handle
+#   - "Doesn" is from "Doesn’t"
+#   - "zlib" is a library name
+#   - "Ogg" is a format
+#   - "init" is short for "initializer"
+#   - "stdlib" is short for "the C standard library"
+#   - "awesomest" is an informal variant of "most awesome"
+addFilter(r"spelling-error \('([Mm]etapackage|[Pp]arser|[Ss]hader|[Rr]oadmap)s?',")
+addFilter(r"spelling-error \('([Rr]eachability|([Tt]|[Uu]nt)raversable)',")
+addFilter(r"spelling-error \('([Tt]ypesafe|[Dd]oesn|[Bb]andlimited|[Mm]orphable)',")
+addFilter(r"spelling-error \('(trunc|eucl|qsort|snprintf|va|args|sprintfs)',")
+addFilter(r"spelling-error \('(ryg|zlib|[Ii]nit|stdlib|[Aa]wesomest|Ogg)',")
+addFilter(r"spelling-error \('([Ww]aveform|[Rr]escale|([Uu]p|[Dd]own)sample)s?',")
+addFilter(r"spelling-error \('([Ee]mbeddable|[Rr]asterize|[Aa]ntialiasing)',")
+# All documentation is in the -doc subpackage.
+addFilter(r" no-documentation$")
+# Consistency with upstream is more important.
+addFilter(r" description-shorter-than-summary")

SPECS/stb.spec

@@ -1,8 +1,8 @@
 ## START: Set by rpmautospec
-## (rpmautospec version 0.6.1)
+## (rpmautospec version 0.6.3)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 1;
+    release_number = 5;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -193,6 +193,16 @@ Patch:          0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch
 # https://github.com/nothings/stb/issues/1552
 Patch:          %{url}/pull/1553.patch
 
+# riscv64 compile fix
+# https://github.com/nothings/stb/pull/1610
+Patch: fix-riscv64-compile-uintptr.patch
+
+# Out of bounds heap buffer write (GHSL-2023-171/CVE-2023-45681)
+# https://github.com/nothings/stb/pull/1559
+# Fixes CVE-2023-45681 and duplicate CVE-2023-47212
+# https://bugzilla.redhat.com/show_bug.cgi?id=2278402
+Patch:          %{url}/pull/1559.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94
@@ -590,7 +600,7 @@ custom widgets and which do not have heavy text-editing requirements (this
 library is not recommended for use for editing large texts, as its performance
 does not scale and it has limited undo).
 
-Non-trivial behaviors are modelled after Windows text controls.
+Non-trivial behaviors are modeled after Windows text controls.
 
 
 %package -n stb_tilemap_editor-devel
@@ -991,6 +1001,15 @@ EOF
 
 %changelog
 ## START: Generated by rpmautospec
+* Thu May 02 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240213gitae721c5-5
+- Patch for GHSL-2023-171/CVE-2023-45681/CVE-2023-47212
+
+* Thu May 02 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240213gitae721c5-4
+- Fix a description to use American English orthography
+
+* Thu May 02 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0^20240213gitae721c5-2
+- Fix compile error on riscv64
+
 * Tue Feb 13 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240213gitae721c5-1
 - Update to 0^20240213gitae721c5
 - stb_image_resize2-devel is updated to 2.06