From 0497d4708a52d3b0b768f28a06662d4b5bd307b1 Mon Sep 17 00:00:00 2001 From: Matt Liberty Date: Tue, 2 Jun 2026 21:29:57 +0000 Subject: [PATCH] Update bzip2 from version 1.0.5 to 1.0.8 Get the fixes for CVE-2010-0405 & CVE-2019-12900. I have tried to preserve the local modifications on top of the base library. Signed-off-by: Matt Liberty --- src/misc/bzlib/blocksort.c | 12 ++++++------ src/misc/bzlib/bzlib.c | 10 +++++----- src/misc/bzlib/bzlib.h | 4 ++-- src/misc/bzlib/bzlib_private.h | 8 ++++---- src/misc/bzlib/compress.c | 16 ++++++++-------- src/misc/bzlib/crctable.c | 4 ++-- src/misc/bzlib/decompress.c | 34 ++++++++++++++++++++++++++++++---- src/misc/bzlib/huffman.c | 4 ++-- src/misc/bzlib/randtable.c | 4 ++-- 9 files changed, 61 insertions(+), 35 deletions(-) diff --git a/src/misc/bzlib/blocksort.c b/src/misc/bzlib/blocksort.c index 0dc4ff461..0921a3c37 100644 --- a/src/misc/bzlib/blocksort.c +++ b/src/misc/bzlib/blocksort.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -204,9 +204,9 @@ void fallbackQSort3 ( UInt32* fmap, bhtab [ 0 .. 2+(nblock/32) ] destroyed */ -#define SET_BH(zz) bhtab[(zz) >> 5] |= (1 << ((zz) & 31)) -#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~(1 << ((zz) & 31)) -#define ISSET_BH(zz) (bhtab[(zz) >> 5] & (1 << ((zz) & 31))) +#define SET_BH(zz) bhtab[(zz) >> 5] |= ((UInt32)1 << ((zz) & 31)) +#define CLEAR_BH(zz) bhtab[(zz) >> 5] &= ~((UInt32)1 << ((zz) & 31)) +#define ISSET_BH(zz) (bhtab[(zz) >> 5] & ((UInt32)1 << ((zz) & 31))) #define WORD_BH(zz) bhtab[(zz) >> 5] #define UNALIGNED_BH(zz) ((zz) & 0x01f) @@ -276,7 +276,7 @@ void fallbackSort ( UInt32* fmap, r = -1; while (1) { - /*-- find the next non-singleton bucket --*/ + /*-- find the next non-singleton bucket --*/ k = r + 1; while (ISSET_BH(k) && UNALIGNED_BH(k)) k++; if (ISSET_BH(k)) { diff --git a/src/misc/bzlib/bzlib.c b/src/misc/bzlib/bzlib.c index 96c10de64..5618c76cb 100644 --- a/src/misc/bzlib/bzlib.c +++ b/src/misc/bzlib/bzlib.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -54,12 +54,12 @@ void BZ2_bz__AssertH__fail ( int errcode ) fprintf(stderr, "\n\nbzip2/libbzip2: internal error number %d.\n" "This is a bug in bzip2/libbzip2, %s.\n" - "Please report it to me at: jseward@bzip.org. If this happened\n" + "Please report it to: bzip2-devel@sourceware.org. If this happened\n" "when you were using some program which uses libbzip2 as a\n" "component, you should also report this bug to the author(s)\n" "of that program. Please make an effort to report this bug;\n" "timely and accurate bug reports eventually lead to higher\n" - "quality software. Thanks. Julian Seward, 10 December 2007.\n\n", + "quality software. Thanks.\n\n", errcode, BZ2_bzlibVersion() ); @@ -436,7 +436,7 @@ int BZ_API(BZ2_bzCompress) ( bz_stream *strm, int action ) return progress ? BZ_RUN_OK : BZ_PARAM_ERROR; } else - if (action == BZ_FLUSH) { + if (action == BZ_FLUSH) { s->avail_in_expect = strm->avail_in; s->mode = BZ_M_FLUSHING; goto preswitch; diff --git a/src/misc/bzlib/bzlib.h b/src/misc/bzlib/bzlib.h index a1bca0bca..063d9220b 100644 --- a/src/misc/bzlib/bzlib.h +++ b/src/misc/bzlib/bzlib.h @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/src/misc/bzlib/bzlib_private.h b/src/misc/bzlib/bzlib_private.h index 229ed3863..c766070f4 100644 --- a/src/misc/bzlib/bzlib_private.h +++ b/src/misc/bzlib/bzlib_private.h @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -38,7 +38,7 @@ ABC_NAMESPACE_HEADER_START /*-- General stuff. --*/ -#define BZ_VERSION "1.0.5, 10-Dec-2007" +#define BZ_VERSION "1.0.8, 13-Jul-2019" typedef char Char; typedef unsigned char Bool; @@ -483,7 +483,7 @@ typedef /*-- externs for decompression. --*/ -Int32 +extern Int32 BZ2_indexIntoF ( Int32, Int32* ); extern Int32 diff --git a/src/misc/bzlib/compress.c b/src/misc/bzlib/compress.c index d4d5ac924..70a080f1a 100644 --- a/src/misc/bzlib/compress.c +++ b/src/misc/bzlib/compress.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -332,14 +332,14 @@ void sendMTFValues ( EState* s ) /*--- Set up an auxiliary length table which is used to fast-track - the common case (nGroups == 6). + the common case (nGroups == 6). ---*/ if (nGroups == 6) { for (v = 0; v < alphaSize; v++) { s->len_pack[v][0] = (s->len[1][v] << 16) | s->len[0][v]; s->len_pack[v][1] = (s->len[3][v] << 16) | s->len[2][v]; s->len_pack[v][2] = (s->len[5][v] << 16) | s->len[4][v]; - } + } } nSelectors = 0; @@ -388,7 +388,7 @@ void sendMTFValues ( EState* s ) cost[4] = cost45 & 0xffff; cost[5] = cost45 >> 16; } else { - /*--- slow version which correctly handles all situations ---*/ + /*--- slow version which correctly handles all situations ---*/ for (i = gs; i <= ge; i++) { UInt16 icv = mtfv[i]; for (t = 0; t < nGroups; t++) cost[t] += s->len[t][icv]; @@ -429,7 +429,7 @@ void sendMTFValues ( EState* s ) # undef BZ_ITUR } else { - /*--- slow version which correctly handles all situations ---*/ + /*--- slow version which correctly handles all situations ---*/ for (i = gs; i <= ge; i++) s->rfreq[bt][ mtfv[i] ]++; } @@ -457,7 +457,7 @@ void sendMTFValues ( EState* s ) AssertH( nGroups < 8, 3002 ); AssertH( nSelectors < 32768 && - nSelectors <= (2 + (900000 / BZ_G_SIZE)), + nSelectors <= BZ_MAX_SELECTORS, 3003 ); @@ -582,7 +582,7 @@ void sendMTFValues ( EState* s ) # undef BZ_ITAH } else { - /*--- slow version which correctly handles all situations ---*/ + /*--- slow version which correctly handles all situations ---*/ for (i = gs; i <= ge; i++) { bsW ( s, s->len [s->selector[selCtr]] [mtfv[i]], diff --git a/src/misc/bzlib/crctable.c b/src/misc/bzlib/crctable.c index 6e033d0d2..e1476dfde 100644 --- a/src/misc/bzlib/crctable.c +++ b/src/misc/bzlib/crctable.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/src/misc/bzlib/decompress.c b/src/misc/bzlib/decompress.c index 4b7370f1e..421d7e9c1 100644 --- a/src/misc/bzlib/decompress.c +++ b/src/misc/bzlib/decompress.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -292,7 +292,7 @@ Int32 BZ2_decompress ( DState* s ) /*--- Now the selectors ---*/ GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); - if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); + if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR); GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); if (nSelectors < 1) RETURN(BZ_DATA_ERROR); for (i = 0; i < nSelectors; i++) { @@ -303,8 +303,14 @@ Int32 BZ2_decompress ( DState* s ) j++; if (j >= nGroups) RETURN(BZ_DATA_ERROR); } - s->selectorMtf[i] = j; + /* Having more than BZ_MAX_SELECTORS doesn't make much sense + since they will never be used, but some implementations might + "round up" the number of selectors, so just ignore those. */ + if (i < BZ_MAX_SELECTORS) + s->selectorMtf[i] = j; } + if (nSelectors > BZ_MAX_SELECTORS) + nSelectors = BZ_MAX_SELECTORS; /*--- Undo the MTF values for the selectors. ---*/ { @@ -388,6 +394,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; @@ -492,15 +505,28 @@ Int32 BZ2_decompress ( DState* s ) RETURN(BZ_DATA_ERROR); /*-- Set up cftab to facilitate generation of T^(-1) --*/ + /* Check: unzftab entries in range. */ + for (i = 0; i <= 255; i++) { + if (s->unzftab[i] < 0 || s->unzftab[i] > nblock) + RETURN(BZ_DATA_ERROR); + } + /* Actually generate cftab. */ s->cftab[0] = 0; for (i = 1; i <= 256; i++) s->cftab[i] = s->unzftab[i-1]; for (i = 1; i <= 256; i++) s->cftab[i] += s->cftab[i-1]; + /* Check: cftab entries in range. */ for (i = 0; i <= 256; i++) { if (s->cftab[i] < 0 || s->cftab[i] > nblock) { /* s->cftab[i] can legitimately be == nblock */ RETURN(BZ_DATA_ERROR); } } + /* Check: cftab entries non-descending. */ + for (i = 1; i <= 256; i++) { + if (s->cftab[i-1] > s->cftab[i]) { + RETURN(BZ_DATA_ERROR); + } + } s->state_out_len = 0; s->state_out_ch = 0; diff --git a/src/misc/bzlib/huffman.c b/src/misc/bzlib/huffman.c index 0f367d624..df877c73c 100644 --- a/src/misc/bzlib/huffman.c +++ b/src/misc/bzlib/huffman.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/src/misc/bzlib/randtable.c b/src/misc/bzlib/randtable.c index 9cabcb696..ea8ad3f48 100644 --- a/src/misc/bzlib/randtable.c +++ b/src/misc/bzlib/randtable.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.8 of 13 July 2019 + Copyright (C) 1996-2019 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file.