Patch for GHSL-2023-171/CVE-2023-45681/CVE-2023-47212

1559.patch

@@ -0,0 +1,25 @@
+From 3741e6fea656d3f1b9578d59f14d8945aea92a10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
+Date: Thu, 19 Oct 2023 17:07:26 +0200
+Subject: [PATCH] Out of bounds heap buffer write
+ (`GHSL-2023-171/CVE-2023-45681`)
+
+---
+ stb_vorbis.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/stb_vorbis.c b/stb_vorbis.c
+index 3e5c2504c0..6ebd7dcb95 100644
+--- a/stb_vorbis.c
++++ b/stb_vorbis.c
+@@ -3661,6 +3661,10 @@ static int start_decoder(vorb *f)
+    f->comment_list = NULL;
+    if (f->comment_list_length > 0)
+    {
++      if (INT_MAX / sizeof(char*) < f->comment_list_length) {
++         f->comment_list_length = 0;
++         return error(f, VORBIS_outofmem);
++      }
+       f->comment_list = (char**) setup_malloc(f, sizeof(char*) * (f->comment_list_length));
+       if (f->comment_list == NULL)                  return error(f, VORBIS_outofmem);
+    }

stb.spec

@@ -183,11 +183,16 @@ Patch:          0001-Fix-Null-pointer-dereference-because-of-an-uninitial.patch
 # https://github.com/nothings/stb/issues/1552
 Patch:          %{url}/pull/1553.patch
 
-
 # riscv64 compile fix
 # https://github.com/nothings/stb/pull/1610
 Patch: fix-riscv64-compile-uintptr.patch
 
+# Out of bounds heap buffer write (GHSL-2023-171/CVE-2023-45681)
+# https://github.com/nothings/stb/pull/1559
+# Fixes CVE-2023-45681 and duplicate CVE-2023-47212
+# https://bugzilla.redhat.com/show_bug.cgi?id=2278402
+Patch:          %{url}/pull/1559.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94