| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Script to run to prepare a new release.
It will update the release number and tell you to update the
CHANGES file and to double check everything looks before doing
the release commit and tagging.
Afterwards you probably want to run release-update.sh to upload
the release and update the website at https://sourceware.org/bzip2/
There are embedded version strings and dates in a couple of places.
To keep the script simple remove some that aren't absolutely necessary.
README now just points to CHANGES.
README.COMPILATION.PROBLEMS only mentions the version once at the top.
bzip2.c only mentions the version once when doing --version.
manual.xml now doesn't have any embedded versions, just uses &bz-version;
everywhere.
|
| |
|
|
| |
decompress.c (BZ2_decompress): Check nGroups against BZ_N_GROUPS.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
which is
UChar selectorMtf[BZ_MAX_SELECTORS];
so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
access
Fixes out of bounds access discovered while fuzzying karchive
This was reported as CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds write when there are many selectors.
|
| |
|
|
|
|
|
|
|
|
| |
These macros contain this pattern:
1 << ((Int32_value) & 31
This causes the undefined behavior sanitizers in clang and gcc to
complain because the shift, while ultimately stored to an unsigned
variable, is done as a signed value. Adding a cast to unsigned for
the int32 value resolves this issue.
|
| |
|
|
|
|
|
|
|
|
| |
When passing -q to get quiet output --test would not display an error
message, but would also suppress the exit 2 code to indicate the file
was corrupt. Only suppress the error message with -q, not the exit value.
This patch comes from Debian.
"bunzip2 -qt returns 0 for corrupt archives"
https://bugs.debian.org/279025
|
| |
|
|
|
|
|
|
|
|
| |
bzip2recover.c (main): Make sure to set outFile to NULL when done.
This was reported as CVE-2016-3189 and found in multiple distributions.
https://seclists.org/oss-sec/2016/q2/568
Some more analysis can be found in:
https://bugzilla.redhat.com/show_bug.cgi?id=1319648
|
| |
|
|
|
|
|
|
| |
bzip2recover.c (main) copies argv[0] to a statically sized buffer
without checking whether argv[0] might be too big (> 2000 chars).
This patch comes from Fedora and was originally reported at
https://bugzilla.redhat.com/show_bug.cgi?id=226979
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Modern GCC warns:
bzip2.c: In function ‘testStream’:
bzip2.c:557:37: warning: variable ‘nread’ set but not used
[-Wunused-but-set-variable]
Int32 bzerr, bzerr_dummy, ret, nread, streamNo, i;
^~~~~
GCC is correct. In testStream we don't care about the number of bytes
read by BZ2_bzRead. So just remove the variable and the assignment.
|
| |
|
|
|
|
|
|
|
| |
Script to run after a release has been tagged, signed and pushed
to git. Will do a fresh checkout, verify the git tag, do fresh
build/dist, sign the dist with gpg, create a backup copy in HOME,
upload the tar.gz and sig to sourceware, checkout bzip2-htdocs,
copy over the new changes, manual, etc. and git push that to update
https://sourceware.org/bzip2/
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
