[med-svn] [Git][med-team/htscodecs][upstream] New upstream version 1.2.2
Étienne Mollier (@emollier)
gitlab at salsa.debian.org
Sun Jun 26 14:50:20 BST 2022
Étienne Mollier pushed to branch upstream at Debian Med / htscodecs
Commits:
07329cc3 by Étienne Mollier at 2022-06-26T15:03:44+02:00
New upstream version 1.2.2
- - - - -
9 changed files:
- NEWS
- configure
- configure.ac
- htscodecs/arith_dynamic.c
- htscodecs/fqzcomp_qual.c
- htscodecs/htscodecs.h
- htscodecs/rANS_static.c
- htscodecs/rANS_static4x16pr.c
- htscodecs/tokenise_name3.c
Changes:
=====================================
NEWS
=====================================
@@ -1,3 +1,40 @@
+Release 1.2.2: 1st April 2022
+-----------------------------
+
+This release contains some fixes found during fuzzing with Clang's
+memory-sanitizer. None of these are involving writing memory so there
+is no possibility for code execution vulnerabilities. However some do
+could access uninitialised elements in locally allocated memory, which
+could leak private data if the library was used in conjunction with
+other tools which don't zero sensitive data before freeing.
+
+Bug fixes:
+
+- The name tokeniser now validates the stored length in the data
+ stream matches the actual decoded length. Discovered by Taotao Gu.
+
+- Fixed an endless loop in arith_dynamic and rans4x16pr involving
+ X_STRIPE with 0 stripes.
+
+- Avoid a harmless (and wrong?) undefined behaviour sanitizer error
+ when calling memcpy(ptr, NULL, 0) in the name tokeniser.
+
+- Fixed possible uninitialised memory access in
+ rans_uncompress_O1_4x16. If the frequency table didn't add up to
+ the correct amount, parts of the "fb" table were left unpopulated.
+ It was then possible to use these array elements in some of the rANS
+ calculations.
+
+- Similarly rans_uncompress_O0 could access an uninitialised element
+ 4095 of the decoder tables if the frequencies summed to 4095 instead
+ of the expected 4096.
+
+- Improved error detection from fqzcomp's read_array function.
+
+- Reject fqzcomp parameters with inconsistent "sel" parameters, which
+ could lead to uninitialised access to the model.sel range coder.
+
+
Release 1.2.1: 15th February 2022
---------------------------------
=====================================
configure
=====================================
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for htscodecs 1.2.1.
+# Generated by GNU Autoconf 2.69 for htscodecs 1.2.2.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='htscodecs'
PACKAGE_TARNAME='htscodecs'
-PACKAGE_VERSION='1.2.1'
-PACKAGE_STRING='htscodecs 1.2.1'
+PACKAGE_VERSION='1.2.2'
+PACKAGE_STRING='htscodecs 1.2.2'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1335,7 +1335,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures htscodecs 1.2.1 to adapt to many kinds of systems.
+\`configure' configures htscodecs 1.2.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1406,7 +1406,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of htscodecs 1.2.1:";;
+ short | recursive ) echo "Configuration of htscodecs 1.2.2:";;
esac
cat <<\_ACEOF
@@ -1522,7 +1522,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-htscodecs configure 1.2.1
+htscodecs configure 1.2.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1887,7 +1887,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by htscodecs $as_me 1.2.1, which was
+It was created by htscodecs $as_me 1.2.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2758,7 +2758,7 @@ fi
# Define the identity of the package.
PACKAGE='htscodecs'
- VERSION='1.2.1'
+ VERSION='1.2.2'
cat >>confdefs.h <<_ACEOF
@@ -2925,7 +2925,7 @@ fi
# libhtscodecs.so.1.1.0
VERS_CURRENT=2
-VERS_REVISION=5
+VERS_REVISION=6
VERS_AGE=0
@@ -13285,7 +13285,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by htscodecs $as_me 1.2.1, which was
+This file was extended by htscodecs $as_me 1.2.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -13351,7 +13351,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-htscodecs config.status 1.2.1
+htscodecs config.status 1.2.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
=====================================
configure.ac
=====================================
@@ -1,5 +1,5 @@
dnl Process this file with autoconf to produce a configure script.
-AC_INIT(htscodecs, 1.2.1)
+AC_INIT(htscodecs, 1.2.2)
# Some functions benefit from -O3 optimisation, so if the user didn't
# explicitly set any compiler flags, we'll plump for O3.
@@ -60,7 +60,7 @@ AM_MAINTAINER_MODE
# libhtscodecs.so.1.1.0
VERS_CURRENT=2
-VERS_REVISION=5
+VERS_REVISION=6
VERS_AGE=0
AC_SUBST(VERS_CURRENT)
AC_SUBST(VERS_REVISION)
=====================================
htscodecs/arith_dynamic.c
=====================================
@@ -886,6 +886,8 @@ unsigned char *arith_uncompress_to(unsigned char *in, unsigned int in_size,
if (c_meta_len >= in_size)
return NULL;
unsigned int N = in[c_meta_len++];
+ if (N < 1) // Must be at least one stripe
+ return NULL;
unsigned int clenN[256], ulenN[256], idxN[256];
if (!out) {
if (ulen >= INT_MAX)
@@ -1084,7 +1086,6 @@ unsigned char *arith_uncompress_to(unsigned char *in, unsigned int in_size,
goto err;
}
} else {
- tmp1 = NULL;
tmp1_size = 0;
}
=====================================
htscodecs/fqzcomp_qual.c
=====================================
@@ -1204,24 +1204,36 @@ int fqz_read_parameters1(fqz_param *pm, unsigned char *in, size_t in_size) {
}
if (pm->qbits) {
- if (pm->use_qtab)
- in_idx += read_array(in+in_idx, in_size-in_idx, pm->qtab, 256);
- else
+ if (pm->use_qtab) {
+ int used = read_array(in+in_idx, in_size-in_idx, pm->qtab, 256);
+ if (used < 0)
+ return -1;
+ in_idx += used;
+ } else {
for (i = 0; i < 256; i++)
pm->qtab[i] = i;
+ }
}
- if (pm->use_ptab)
- in_idx += read_array(in+in_idx, in_size-in_idx, pm->ptab, 1024);
- else
+ if (pm->use_ptab) {
+ int used = read_array(in+in_idx, in_size-in_idx, pm->ptab, 1024);
+ if (used < 0)
+ return -1;
+ in_idx += used;
+ } else {
for (i = 0; i < 1024; i++)
pm->ptab[i] = 0;
+ }
- if (pm->use_dtab)
- in_idx += read_array(in+in_idx, in_size-in_idx, pm->dtab, 256);
- else
+ if (pm->use_dtab) {
+ int used = read_array(in+in_idx, in_size-in_idx, pm->dtab, 256);
+ if (used < 0)
+ return -1;
+ in_idx += used;
+ } else {
for (i = 0; i < 256; i++)
pm->dtab[i] = 0;
+ }
return in_idx;
}
@@ -1250,7 +1262,10 @@ int fqz_read_parameters(fqz_gparams *gp, unsigned char *in, size_t in_size) {
if (gp->gflags & GFLAG_HAVE_STAB) {
gp->max_sel = in[in_idx++];
- in_idx += read_array(in+in_idx, in_size-in_idx, gp->stab, 256);
+ int used = read_array(in+in_idx, in_size-in_idx, gp->stab, 256);
+ if (used < 0)
+ goto err;
+ in_idx += used;
} else {
for (i = 0; i < gp->nparam; i++)
gp->stab[i] = i;
@@ -1267,6 +1282,8 @@ int fqz_read_parameters(fqz_gparams *gp, unsigned char *in, size_t in_size) {
int e = fqz_read_parameters1(&gp->p[i], in + in_idx, in_size-in_idx);
if (e < 0)
goto err;
+ if (gp->p[i].do_sel && gp->max_sel == 0)
+ goto err; // Inconsistent
in_idx += e;
if (gp->max_sym < gp->p[i].max_sym)
=====================================
htscodecs/htscodecs.h
=====================================
@@ -43,7 +43,7 @@
* Note currently this needs manually editing as it isn't automatically
* updated by autoconf.
*/
-#define HTSCODECS_VERSION 100201
+#define HTSCODECS_VERSION 100202
/*
* A const string form of the HTSCODECS_VERSION define.
=====================================
htscodecs/rANS_static.c
=====================================
@@ -304,6 +304,13 @@ unsigned char *rans_uncompress_O0(unsigned char *in, unsigned int in_size,
if (x < TOTFREQ-1 || x > TOTFREQ)
goto cleanup;
+ if (x != TOTFREQ) {
+ // Protection against accessing uninitialised memory in the case
+ // where SUM(freqs) == 4095 and not 4096.
+ ssym [x] = ssym [x-1];
+ sfreq[x] = sfreq[x-1];
+ sbase[x] = sbase[x-1]+1;
+ }
// 16 bytes of cp here. Also why cp - 16 in above loop.
if (cp > cp_end - 16) goto cleanup; // Not enough input bytes left
=====================================
htscodecs/rANS_static4x16pr.c
=====================================
@@ -362,7 +362,7 @@ unsigned int rans_compress_bound_4x16(unsigned int size, int order) {
if (!N) N=4;
order &= 0xff;
- int sz = (order == 0
+ unsigned int sz = (order == 0
? 1.05*size + 257*3 + 4
: 1.05*size + 257*257*3 + 4 + 257*3+4) +
((order & X_PACK) ? 1 : 0) +
@@ -911,16 +911,18 @@ unsigned char *rans_uncompress_O1_4x16(unsigned char *in, unsigned int in_size,
uint8_t *sfb_ = pthread_getspecific(rans_key);
if (!sfb_) {
- sfb_ = calloc(256*(TOTFREQ_O1+MAGIC2), sizeof(*sfb_));
+ sfb_ = calloc(256*(TOTFREQ_O1+MAGIC2)
+ + 256*256*sizeof(fb_t), sizeof(*sfb_));
pthread_setspecific(rans_key, sfb_);
}
#else
- uint8_t *sfb_ = calloc(256*(TOTFREQ_O1+MAGIC2), sizeof(*sfb_));
+ uint8_t *sfb_ = calloc(256*(TOTFREQ_O1+MAGIC2)
+ + 256*256*sizeof(fb_t), sizeof(*sfb_));
#endif
if (!sfb_)
return NULL;
- fb_t fb[256][256];
+ fb_t (*fb)[256] = (fb_t (*)[256]) (sfb_ + 256*(TOTFREQ_O1+MAGIC2));
uint8_t *sfb[256];
if ((*cp >> 4) == TF_SHIFT_O1) {
for (i = 0; i < 256; i++)
@@ -1382,6 +1384,8 @@ unsigned char *rans_uncompress_to_4x16(unsigned char *in, unsigned int in_size,
if (c_meta_len >= in_size)
return NULL;
unsigned int N = in[c_meta_len++];
+ if (N < 1) // Must be at least one stripe
+ return NULL;
unsigned int clenN[256], ulenN[256], idxN[256];
if (!out) {
if (ulen >= INT_MAX)
@@ -1605,7 +1609,6 @@ unsigned char *rans_uncompress_to_4x16(unsigned char *in, unsigned int in_size,
goto err;
}
} else {
- tmp1 = NULL;
tmp1_size = 0;
}
tmp2_size = tmp3_size = tmp1_size;
=====================================
htscodecs/tokenise_name3.c
=====================================
@@ -1214,6 +1214,7 @@ static int64_t arith_decode(uint8_t *in, uint64_t in_len, uint8_t *out, uint64_t
if (arith_uncompress_to(in+nb, in_len-nb, out, &olen) == NULL)
return -1;
//fprintf(stderr, " Stored clen=%d\n", (int)clen);
+ *out_len = olen;
return clen+nb;
}
@@ -1240,6 +1241,7 @@ static int64_t rans_decode(uint8_t *in, uint64_t in_len, uint8_t *out, uint64_t
if (rans_uncompress_to_4x16(in+nb, in_len-nb, out, &olen) == NULL)
return -1;
//fprintf(stderr, " Stored clen=%d\n", (int)clen);
+ *out_len = olen;
return clen+nb;
}
@@ -1594,6 +1596,8 @@ uint8_t *decode_names(uint8_t *in, uint32_t sz, uint32_t *out_len) {
i = (tnum<<4) | (ttype&15);
if (j >= i)
goto err;
+ if (!ctx->desc[j].buf)
+ goto err; // Attempt to copy a non-existent stream
ctx->desc[i].buf_l = 0;
ctx->desc[i].buf_a = ctx->desc[j].buf_a;
@@ -1650,9 +1654,8 @@ uint8_t *decode_names(uint8_t *in, uint32_t sz, uint32_t *out_len) {
uint64_t usz = ctx->desc[i].buf_a; // convert from size_t for 32-bit sys
clen = uncompress(use_arith, &in[o], sz-o, ctx->desc[i].buf, &usz);
ctx->desc[i].buf_a = usz;
- if (clen < 0)
+ if (clen < 0 || ctx->desc[i].buf_a != ulen)
goto err;
- assert(ctx->desc[i].buf_a == ulen);
// fprintf(stderr, "%d: Decode tnum %d type %d clen %d ulen %d via %d\n",
// o, tnum, ttype, (int)clen, (int)ctx->desc[i].buf_a, ctx->desc[i].buf[0]);
View it on GitLab: https://salsa.debian.org/med-team/htscodecs/-/commit/07329cc3c23f542acde904411c2f45316e9b6f49
--
View it on GitLab: https://salsa.debian.org/med-team/htscodecs/-/commit/07329cc3c23f542acde904411c2f45316e9b6f49
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-med-commit/attachments/20220626/cbbebcca/attachment-0001.htm>
More information about the debian-med-commit
mailing list