apply patch from @hzeller to fix the root cause of CVE-2021-45340 (#40)

* apply patch from @hzeller to fix the root cause of CVE-2021-45340 Signed-off-by: Cocoa <[email protected]>
elixir-nx · Feb 1, 2025 · 3eb686f · 3eb686f
1 parent 6e797c9
commit 3eb686f
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 2 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -71,7 +71,7 @@ jobs:
           mix test
 
   macos:
-    runs-on: macos-12
+    runs-on: macos-13
     env:
       MIX_ENV: test
       ELIXIR_VERSION: "1.16.2"

diff --git a/3rd_party/stb/stb_image.h b/3rd_party/stb/stb_image.h
@@ -100,7 +100,7 @@ RECENT REVISION HISTORY:
  Bug & warning fixes
     Marc LeBlanc            David Woo          Guillaume George     Martins Mozeiko
     Christpher Lloyd        Jerry Jansson      Joseph Thomson       Blazej Dariusz Roszkowski
-    Phil Jordan                                Dave Moore           Roy Eltham
+    Phil Jordan             Henner Zeller      Dave Moore           Roy Eltham
     Hayaki Saito            Nathan Reed        Won Chun
     Luke Graham             Johan Duparc       Nick Verigakis       the Horde3D community
     Thomas Ruf              Ronny Chevalier                         github:rlyeh
@@ -1760,6 +1760,7 @@ static unsigned char *stbi__convert_format(unsigned char *data, int img_n, int r
    int i,j;
    unsigned char *good;
 
+   if (data == NULL) return data;
    if (req_comp == img_n) return data;
    STBI_ASSERT(req_comp >= 1 && req_comp <= 4);
 

diff --git a/test/stb-issue-cve-2021-45340.gif b/test/stb-issue-cve-2021-45340.gif
diff --git a/test/stb_image_test.exs b/test/stb_image_test.exs
@@ -297,5 +297,11 @@ defmodule StbImageTest do
 
       assert decoded == expected
     end
+
+    test "CVE-2021-45340" do
+      assert_raise ArgumentError, "cannot decode image", fn ->
+        StbImage.read_file!(Path.join(__DIR__, "stb-issue-cve-2021-45340.gif"))
+      end
+    end
   end
 end