package/assimp: add upstream security fix for CVE-2024-48423

Fixes the following security issue:

CVE-2024-48423: An issue in assimp v.5.4.3 allows a local attacker to
execute arbitrary code via the CallbackToLogRedirector function within the
Assimp library

https://github.com/assimp/assimp/issues/5788
https://www.cve.org/CVERecord?id=CVE-2024-48423

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>
(cherry picked from commit ad82b284271b7039144a290b503aba294c1e39bf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

package/assimp/0001-Fix-leak-5762.patch

@@ -0,0 +1,139 @@
+From 4024726eca89331503bdab33d0b9186e901bbc45 Mon Sep 17 00:00:00 2001
+From: Kim Kulling <kimkulling@users.noreply.github.com>
+Date: Sat, 7 Sep 2024 21:02:34 +0200
+Subject: [PATCH] Fix leak (#5762)
+
+* Fix leak
+
+* Update utLogger.cpp
+
+Upstream: https://github.com/assimp/assimp/commit/4024726eca89331503bdab33d0b9186e901bbc45
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ code/Common/Assimp.cpp        | 13 ++++++---
+ fuzz/assimp_fuzzer.cc         |  2 +-
+ test/CMakeLists.txt           |  1 +
+ test/unit/Common/utLogger.cpp | 52 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 63 insertions(+), 5 deletions(-)
+ create mode 100644 test/unit/Common/utLogger.cpp
+
+diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
+index ef3ee7b5d..91896e405 100644
+--- a/code/Common/Assimp.cpp
++++ b/code/Common/Assimp.cpp
+@@ -359,20 +359,25 @@ void CallbackToLogRedirector(const char *msg, char *dt) {
+     s->write(msg);
+ }
+ 
++static LogStream *DefaultStream = nullptr;
++
+ // ------------------------------------------------------------------------------------------------
+ ASSIMP_API aiLogStream aiGetPredefinedLogStream(aiDefaultLogStream pStream, const char *file) {
+     aiLogStream sout;
+ 
+     ASSIMP_BEGIN_EXCEPTION_REGION();
+-    LogStream *stream = LogStream::createDefaultStream(pStream, file);
+-    if (!stream) {
++    if (DefaultStream == nullptr) {
++        DefaultStream = LogStream::createDefaultStream(pStream, file);
++    }
++    
++    if (!DefaultStream) {
+         sout.callback = nullptr;
+         sout.user = nullptr;
+     } else {
+         sout.callback = &CallbackToLogRedirector;
+-        sout.user = (char *)stream;
++        sout.user = (char *)DefaultStream;
+     }
+-    gPredefinedStreams.push_back(stream);
++    gPredefinedStreams.push_back(DefaultStream);
+     ASSIMP_END_EXCEPTION_REGION(aiLogStream);
+     return sout;
+ }
+diff --git a/fuzz/assimp_fuzzer.cc b/fuzz/assimp_fuzzer.cc
+index 8178674e8..91ffd9d69 100644
+--- a/fuzz/assimp_fuzzer.cc
++++ b/fuzz/assimp_fuzzer.cc
+@@ -47,7 +47,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ using namespace Assimp;
+ 
+ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t dataSize) {
+-    aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT,NULL);
++    aiLogStream stream = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
+     aiAttachLogStream(&stream);
+ 
+     Importer importer;
+diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
+index 7b7fd850a..1a45adac7 100644
+--- a/test/CMakeLists.txt
++++ b/test/CMakeLists.txt
+@@ -100,6 +100,7 @@ SET( COMMON
+   unit/Common/utBase64.cpp
+   unit/Common/utHash.cpp
+   unit/Common/utBaseProcess.cpp
++  unit/Common/utLogger.cpp
+ )
+ 
+ SET(Geometry 
+diff --git a/test/unit/Common/utLogger.cpp b/test/unit/Common/utLogger.cpp
+new file mode 100644
+index 000000000..932240a7f
+--- /dev/null
++++ b/test/unit/Common/utLogger.cpp
+@@ -0,0 +1,52 @@
++/*
++---------------------------------------------------------------------------
++Open Asset Import Library (assimp)
++---------------------------------------------------------------------------
++
++Copyright (c) 2006-2024, assimp team
++
++All rights reserved.
++
++Redistribution and use of this software in source and binary forms,
++with or without modification, are permitted provided that the following
++conditions are met:
++
++* Redistributions of source code must retain the above
++copyright notice, this list of conditions and the
++following disclaimer.
++
++* Redistributions in binary form must reproduce the above
++copyright notice, this list of conditions and the
++following disclaimer in the documentation and/or other
++materials provided with the distribution.
++
++* Neither the name of the assimp team, nor the names of its
++contributors may be used to endorse or promote products
++derived from this software without specific prior
++written permission of the assimp team.
++
++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++---------------------------------------------------------------------------
++*/
++
++#include "UnitTestPCH.h"
++#include <assimp/Importer.hpp>
++
++using namespace Assimp;
++class utLogger : public ::testing::Test {};
++
++TEST_F(utLogger, aiGetPredefinedLogStream_leak_test) {
++    aiLogStream stream1 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
++    aiLogStream stream2 = aiGetPredefinedLogStream(aiDefaultLogStream_STDOUT, nullptr);
++    ASSERT_EQ(stream1.callback, stream2.callback);
++}
+-- 
+2.39.5
+

package/assimp/0002-Fix-use-after-free-in-the-CallbackToLogRedirector-59.patch

@@ -0,0 +1,39 @@
+From f12e52198669239af525e525ebb68407977f8e34 Mon Sep 17 00:00:00 2001
+From: tyler92 <tyler92@inbox.ru>
+Date: Wed, 11 Dec 2024 12:17:14 +0200
+Subject: [PATCH] Fix use after free in the CallbackToLogRedirector (#5918)
+
+The heap-use-after-free vulnerability occurs in the
+CallbackToLogRedirector function. During the process of logging,
+a previously freed memory region is accessed, leading to a
+use-after-free condition. This vulnerability stems from incorrect
+memory management, specifically, freeing a log stream and then
+attempting to access it later on.
+
+This patch sets NULL value for The DefaultStream global pointer.
+
+Co-authored-by: Kim Kulling <kimkulling@users.noreply.github.com>
+Upstream: https://github.com/assimp/assimp/commit/f12e52198669239af525e525ebb68407977f8e34
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ code/Common/Assimp.cpp | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/code/Common/Assimp.cpp b/code/Common/Assimp.cpp
+index 91896e405..22e16bd36 100644
+--- a/code/Common/Assimp.cpp
++++ b/code/Common/Assimp.cpp
+@@ -416,6 +416,10 @@ ASSIMP_API aiReturn aiDetachLogStream(const aiLogStream *stream) {
+     DefaultLogger::get()->detachStream(it->second);
+     delete it->second;
+ 
++    if ((Assimp::LogStream *)stream->user == DefaultStream) {
++        DefaultStream = nullptr;
++    }
++
+     gActiveLogStreams.erase(it);
+ 
+     if (gActiveLogStreams.empty()) {
+-- 
+2.39.5
+

package/assimp/assimp.mk

@@ -12,6 +12,10 @@ ASSIMP_CPE_ID_VENDOR = assimp
 ASSIMP_DEPENDENCIES = zlib
 ASSIMP_INSTALL_STAGING = YES
 
+# 0001-Fix-leak-5762.patch
+# 0002-Fix-use-after-free-in-the-CallbackToLogRedirector-59.patch
+ASSIMP_IGNORE_CVES += CVE-2024-48423
+
 # relocation truncated to fit: R_68K_GOT16O. We also need to disable
 # optimizations to not run into "Error: value -43420 out of range"
 # assembler issues.