[Debian-med-packaging] Bug#987044: libbiosig3: certain files can crash save2gdf and produce invalid json output

Fri Apr 16 11:32:13 BST 2021

Package: libbiosig3
Version: 2.1.2-3
Severity: important
Tags: patch

Dear Maintainer,

as suggested by you [1], I'm filing this bug report.

   * What led up to the situation?

Trying to handle this files
https://www.physionet.org/files/sleep-edfx/1.0.0/sleep-cassette/SC4001EC-Hypnogram.edf?download
with Biosig-tools causes these two issues :

1) save2gdf -JSON SC4001EC-Hypnogram.edf
fails to produce valid JSON, because it contains the field

     SampleRate : inf

You can check with
     save2gdf -JSON SC4001EC-Hypnogram.edf | json_pp

or python
     import biosig, json
     HDR = json.loads(biosig.header('SC4001EC-Hypnogram.edf'))

2) Converting the edf into a gdf file crashes. You can test with:

    save2gdf SC4001EC-Hypnogram.edf SC4001EC-Hypnogram.edf.gdf

and does not produce the expected output.

    * What exactly did you do (or not do) that was effective (or 
ineffective)?

The patch as suggested [1] solves both issues, and a similar issue for 
other file formats (ACQ, BKR, and HEKA).

The issue was most likely introduced in Jan 2018, when the initial read 
page size was increased from 512 to 4096 bytes.
It most likely affects also libbiosig2 (v1.9.3) in buster.

Moreover, it might also affect the package Stimfit, which uses an 
outdated copy of libbbiosig.

The best solution would be to rebuild stimfit with
    ./configure --with-biosig ...
or
    ./configure --with-biosig2 ...

with a build-dependency on libbiosig-dev, and a runtime dependency on
    libbiosig2 | libbiosig3

The patches are already in upstream (see Jan 2021 in [2]);

The package sigviewer is also affected but updating libbiosig is 
sufficient there because it is dynamically linked, and the API did not 
change.

[1] 
https://alioth-lists.debian.net/pipermail/debian-med-packaging/2021-April/091120.html

[2] https://github.com/neurodroid/stimfit/commits/master

Cheers,
   Alois