.gitignore

@@ -1 +1,13 @@
-SOURCES/stb-31707d14fdb75da66b3eed52a2236a70af0d0960.tar.gz
+/stb-3a1174060a7dd4eb652d4e6854bc4cd98c159200.tar.gz
+/stb-c0c982601f40183e74d84a61237e968dca08380e.tar.gz
+/stb-af1a5bc352164740c1cc1354942b1c6b72eacb8a.tar.gz
+/stb-8b5f1f37b5b75829fc72d38e7b5d4bcbf8a26d55.tar.gz
+/stb-6199bf77130da41fd424722eeb7a8db4d766c4c6.tar.gz
+/stb-5736b15f7ea0ffb08dd38af21067c314d6a3aae9.tar.gz
+/stb-c4bbb6e75f688318b2df2b70c2df2d641c1a8481.tar.gz
+/stb-beebb24b945efdea3b9bba23affb8eb3ba8982e7.tar.gz
+/stb-b7cf1246284b49dfe7f1288e6f739b7a3a9d966b.tar.gz
+/stb-ae721c50eaf761660b4f90cc590453cdb0c2acd0.tar.gz
+/stb-449758bd74ce14b7d0ba9b24a3dbc4386702a0e0.tar.gz
+/stb-013ac3beddff3dbffafd5177e7972067cd2b5083.tar.gz
+/stb-31707d14fdb75da66b3eed52a2236a70af0d0960.tar.gz

.stb.metadata

@@ -1 +0,0 @@
-0474d08ed28d29b139e5f3ba5281512a21d3519c  SOURCES/stb-31707d14fdb75da66b3eed52a2236a70af0d0960.tar.gz

1736.patch

@@ -0,0 +1,36 @@
+From 724a10527964762fde9e79f38413aed4166b456e Mon Sep 17 00:00:00 2001
+From: Henner Zeller <h.zeller@acm.org>
+Date: Thu, 9 Jan 2025 08:57:50 -0800
+Subject: [PATCH] Fix root-cause of CVE-2021-45340 : dereference of NULL ptr.
+
+Originally reported in libsixel (https://github.com/libsixel/libsixel/issues/51
+and https://github.com/libsixel/libsixel/issues/73) also as https://nvd.nist.gov/vuln/detail/CVE-2021-45340
+
+Fixed there by locally patching stb https://github.com/libsixel/libsixel/commit/c8c7f1b1cab7bd556f54787a5e409d2ddf86ea9f
+
+Hereby fixing upstream.
+---
+ stb_image.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/stb_image.h b/stb_image.h
+index 9eedabedc..4a435555e 100644
+--- a/stb_image.h
++++ b/stb_image.h
+@@ -100,7 +100,7 @@ RECENT REVISION HISTORY:
+  Bug & warning fixes
+     Marc LeBlanc            David Woo          Guillaume George     Martins Mozeiko
+     Christpher Lloyd        Jerry Jansson      Joseph Thomson       Blazej Dariusz Roszkowski
+-    Phil Jordan                                Dave Moore           Roy Eltham
++    Phil Jordan             Henner Zeller      Dave Moore           Roy Eltham
+     Hayaki Saito            Nathan Reed        Won Chun
+     Luke Graham             Johan Duparc       Nick Verigakis       the Horde3D community
+     Thomas Ruf              Ronny Chevalier                         github:rlyeh
+@@ -1757,6 +1757,7 @@ static unsigned char *stbi__convert_format(unsigned char *data, int img_n, int r
+    int i,j;
+    unsigned char *good;
+ 
++   if (data == NULL) return data;
+    if (req_comp == img_n) return data;
+    STBI_ASSERT(req_comp >= 1 && req_comp <= 4);
+ 

sources

@@ -0,0 +1 @@
+SHA512 (stb-31707d14fdb75da66b3eed52a2236a70af0d0960.tar.gz) = 4e7935cddc94cc10ed826ffac24dc054e4614b1457dec20aa36528a45731572e641e39720d3f9dbf07ba715ecf1f3bd091a78557b24fe1df0eff39168a331e08

stb.spec

@@ -1,13 +1,3 @@
-## START: Set by rpmautospec
-## (rpmautospec version 0.7.2)
-## RPMAUTOSPEC: autorelease, autochangelog
-%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 1;
-    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
-    print(release_number + base_release_number - 1);
-}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
-## END: Set by rpmautospec
-
 %global commit 31707d14fdb75da66b3eed52a2236a70af0d0960
 %global snapdate 20241002
 
@@ -43,8 +33,11 @@ License:        MIT OR Unlicense
 # make certain, they are removed in %%prep.
 #
 # - deprecated/rrsprintf.h, tests/caveview/stb_gl.h, and
-#   tests/caveview/win32/SDL_windows_main.c are Public Domain
+#   tests/caveview/win32/SDL_windows_main.c are
+#   LicenseRef-Fedora-Public-Domain:
+#   https://gitlab.com/fedora/legal/fedora-license-data/-/issues/620
 # - tests/caveview/glext.h is MIT (only)
+SourceLicense:  (%{license}) AND LicenseRef-Fedora-Public-Domain AND MIT
 URL:            https://github.com/nothings/stb
 Source0:        %{url}/archive/%{commit}/stb-%{commit}.tar.gz
 
@@ -203,6 +196,10 @@ Patch: fix-riscv64-compile-uintptr.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2278402
 Patch:          %{url}/pull/1559.patch
 
+# Fix root-cause of CVE-2021-45340 : dereference of NULL ptr.
+# https://github.com/nothings/stb/pull/1736
+Patch:          %{url}/pull/1736.patch
+
 %global stb_c_lexer_version 0.12
 %global stb_connected_components_version 0.96
 %global stb_divide_version 0.94
@@ -267,7 +264,7 @@ Requires:       stb_image-static = %{stb_image_version}%{snapinfo}-%{release}
 # For compatibility, we still depend on the subpackages for the original,
 # deprecated-upstream stb_image_library in existing stable releases, but we
 # drop the dependendency going forward as an acknowledgement of its status.
-%if 0%{?fc39} || 0%{?el9} || 0%{?el8} || 0%{?el7}
+%if 0%{?el9} || 0%{?el8}
 Requires:       stb_image_resize-devel%{?_isa} = %{stb_image_resize_version}%{snapinfo}-%{release}
 Requires:       stb_image_resize-static = %{stb_image_resize_version}%{snapinfo}-%{release}
 %endif
@@ -1000,149 +997,4 @@ EOF
 
 
 %changelog
-## START: Generated by rpmautospec
-* Wed Oct 02 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20241002git31707d1-1
-- stb_image_resize2 2.11
-
-* Fri May 31 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240531git013ac3b-1
-- stb_image 2.30
-
-* Sat May 25 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240525git449758b-1
-- stb_image_resize2 2.07
-
-* Thu May 02 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240213gitae721c5-5
-- Patch for GHSL-2023-171/CVE-2023-45681/CVE-2023-47212
-
-* Thu May 02 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240213gitae721c5-4
-- Fix a description to use American English orthography
-
-* Thu May 02 2024 David Abdurachmanov <davidlt@rivosinc.com> - 0^20240213gitae721c5-2
-- Fix compile error on riscv64
-
-* Tue Feb 13 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240213gitae721c5-1
-- Update to 0^20240213gitae721c5
-- stb_image_resize2-devel is updated to 2.06
-
-* Tue Feb 13 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20240208gitb7cf124-1
-- Update to 0^20240208gitb7cf124
-- stb_image-devel is updated to 2.29
-- stb_image_resize2-devel is updated to 2.05
-
-* Sun Jan 14 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 0^20231011gitbeebb24-12
-- Rebuilt for MSVSphere 9.3
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-12
-- stb_vorbis: fix GHSL-2023-165 / fix CVE-2023-45675
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-11
-- stb_image: fix GHSL-2023-151 / fix CVE-2023-45667
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-10
-- stb_image: fix GHSL-2023-150 / fix CVE-2023-45666
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-9
-- Document another bug, PR, and name (GHSL-2023-149) for CVE-2023-43898
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-8
-- stb_image: fix GHSL-2023-148 / fix CVE-2023-45664
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-7
-- stb_image: fix GHSL-2023-147 / fix CVE-2023-45663
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-6
-- stb_image: fix GHSL-2023-146 / fix CVE-2023-45662
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-5
-- stb_image: fix GHSL-2023-145 / fix CVE-2023-45661
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-4
-- Document that 1454.patch fixes CVE-2023-43898
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-3
-- Backport a PR fixing undefined behavior in stb_image_resize2
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-2
-- Backport three PR’s fixing undefined behavior in stb_image
-
-* Wed Oct 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231011gitbeebb24-1
-- Update to 0^beebb24git20231011 (minor C99 fixes)
-
-* Tue Oct 10 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231009gitc4bbb6e-2
-- Fedora, EPEL9+: drop the initial “0.” from the Release
-
-* Tue Oct 10 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20231009gitc4bbb6e-0.1
-- Update to 0^20231009gitc4bbb6e
-- A new stb_image_resize2 library is introduced
-- Upstream has deprecated stb_image_resize, but we still package it
-
-* Sat Feb 25 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20230129git5736b15-0.2
-- Fix null pointer dereference in stb_image
-
-* Tue Jan 31 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20230129git5736b15-0.1
-- Update to 5736b1 (version history and README updates)
-
-* Tue Jan 31 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20230129git6199bf7-0.1
-- Update to 6199bf7 (stb_image 2.28)
-- Security-related patches for stb_image have been merged upstream, and
-  there are other bugfixes.
-
-* Tue Jan 31 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20220908git8b5f1f3-0.4
-- Patch in a candidate fix for ossfuzz issue 24232
-- Improves handling of certain invalid PNGs by stb_image
-
-* Sat Sep 10 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20220908git8b5f1f3-0.3
-- A few improved descriptions
-
-* Sat Sep 10 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20220908git8b5f1f3-0.2
-- Improved summaries based on upstream’s README.md
-
-* Sat Sep 10 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20220908git8b5f1f3-0.1
-- Update to 8b5f1f3
-- The stb_perlin-devel subpackage has been restored, as upstream believes
-  all relevant patents are now expired.
-
-* Sat Sep 10 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20210910gitaf1a5bc-0.4
-- Update License to SPDX
-
-* Sat Sep 10 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20210910gitaf1a5bc-0.3
-- Reword spec file note on stb_include
-
-* Wed Apr 20 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20210910gitaf1a5bc-0.2
-- Security fix for CVE-2022-28041 (fix RHBZ#2077020, fix RBHZ#2077019)
-
-* Wed Apr 20 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0^20210910gitaf1a5bc-0.1
-- Switch to modern snapshot versioning
-
-* Wed Apr 20 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.11
-- Stop numbering patches
-
-* Wed Apr 20 2022 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.10
-- Revert "Work around no ImageMagick on EPEL9"
-
-* Mon Dec 06 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.9
-- Work around no ImageMagick on EPEL9
-
-* Tue Oct 26 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.8
-- Apply a patch for warnings in stb_herringbone_wang_tile
-
-* Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.7
-- Security fix for CVE-2021-42715 and CVE-2021-42716
-
-* Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.6
-- Update to af1a5bc
-
-* Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.5
-- Reduce macro indirection in the spec file
-
-* Thu Sep 09 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.4
-- Update to c0c9826 (fix RHBZ#2002436)
-
-* Tue Aug 24 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.3
-- Fix signature of dummy realloc() for STB_VORBIS_NO_CRT
-
-* Mon Aug 23 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.2
-- Use symlinks so including "stb_foo.h" and "stb/stb_foo.h" both work
-
-* Mon Aug 23 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 0-0.1
-- Initial package
-## END: Generated by rpmautospec
+%autochangelog