From: Kirill A. Korinsky <kirill@korins.ky>
Subject: Re: archivers/bzip3: update to 1.5.2
To: tb@theobuehler.org, ports@openbsd.org
Date: Sun, 01 Jun 2025 14:56:41 +0200

On Mon, 28 Apr 2025 20:28:11 +0200,
Kirill A. Korinsky <kirill@korins.ky> wrote:
> 
> On Mon, 28 Apr 2025 20:08:05 +0200,
> Theo Buehler <tb@theobuehler.org> wrote:
> > 
> > On Mon, Apr 28, 2025 at 01:14:03PM +0200, Kirill A. Korinsky wrote:
> > > ports@,
> > > 
> > > here a minor update for archivers/bzip3 to 1.5.2
> > > 
> > > Changes:
> > > 
> > > v1.1.2:
> > > * fix memory UB in libsais
> > > * restructure src/cm.c
> > > * block size check in src/libbz3.c
> > > * fix shift UB in lzp
> > > * -h/-v CLI switches
> > > * change maximum block size to ~512M
> > > 
> > > tested on -current/amd64, works.
> > > 
> > > Also, /usr/src/lib/check_sym doesn't pick any changes in libraries, and
> > > sources had only one internally used .h file to be chnaged in this release:
> > > https://github.com/kspalaiologos/bzip3/compare/1.5.1...1.5.2#diff-b6f1ba1afa0ca630e1b50a4d39ede5448cf73f6cab20da49aa9a7447c7efe4e4
> > > 
> > > All of this leads to a conclusion that no need to increase SHARED_LIBS.
> > 
> > Since it's not a public header, the changes in there don't matter
> > ABI-wise.  But do you really want to commit a piece of software that
> > does this?
> > 
> >    *strp = (char *) malloc(len + 1);
> > -  if (!*strp) return -1;
> > +  if (!*strp) {
> > +    memcpy(*strp, yarg_oom, sizeof(yarg_oom));
> > 
> 
> I had missed it.
> 
> Well... I think it is a wise idea to skip this update and ask upstream.
> 
> But I'm surprised to say the least.
> 

Upstream had merged both my patches which fixes two similar cases.

Anyway the upstream said me, let me quote:

> This is not important in the CLI tool, as in low memory scenarios there is
> no need to recover from errors. But I will merge this anyway for
> consistency with the yarg patch. Maybe in the future I should use macros
> that make these checks less gross. Maybe using a custom malloc wrapper for
> the CLI tool that immediately kills the application when memory runs out.

so, she thinks that it's ok.

We have it, and I think that update it is right things to do and here the
diff which I have locally for a while.

Ok?

Index: Makefile
===================================================================
RCS file: /cvs/ports/archivers/bzip3/Makefile,v
diff -u -p -r1.2 Makefile
--- Makefile	18 Dec 2024 13:50:20 -0000	1.2
+++ Makefile	1 Jun 2025 12:53:18 -0000
@@ -1,6 +1,6 @@
 COMMENT=	compress and decompress bzip3 files
 
-V=		1.5.1
+V=		1.5.2
 DISTNAME=	bzip3-${V}
 
 SHARED_LIBS +=  bzip3                1.0      # 0.0
Index: distinfo
===================================================================
RCS file: /cvs/ports/archivers/bzip3/distinfo,v
diff -u -p -r1.2 distinfo
--- distinfo	18 Dec 2024 13:50:20 -0000	1.2
+++ distinfo	1 Jun 2025 12:53:18 -0000
@@ -1,6 +1,6 @@
-SHA256 (bzip3-1.5.1-shakespeare.txt) = xWAdJmmHrIhcqWUisbTkOf637KOfD+ERH3NCtjtkaPM=
-SHA256 (bzip3-1.5.1-shakespeare.txt.bz3) = +v3DKYMXec9dCo9ZXODzAosU7CGImenHuhJT8gN3Ybo=
-SHA256 (bzip3-1.5.1.tar.gz) = zHys2m0V8k0/5z/Ye4ldX9LA+LbdBjCuSZOqRcSFPDs=
-SIZE (bzip3-1.5.1-shakespeare.txt) = 5458199
-SIZE (bzip3-1.5.1-shakespeare.txt.bz3) = 1262682
-SIZE (bzip3-1.5.1.tar.gz) = 413067
+SHA256 (bzip3-1.5.2-shakespeare.txt) = xWAdJmmHrIhcqWUisbTkOf637KOfD+ERH3NCtjtkaPM=
+SHA256 (bzip3-1.5.2-shakespeare.txt.bz3) = +v3DKYMXec9dCo9ZXODzAosU7CGImenHuhJT8gN3Ybo=
+SHA256 (bzip3-1.5.2.tar.gz) = nRAJKjhCN45tCxaZLuSfcRME2I6076yARAM4GE1LYnY=
+SIZE (bzip3-1.5.2-shakespeare.txt) = 5458199
+SIZE (bzip3-1.5.2-shakespeare.txt.bz3) = 1262682
+SIZE (bzip3-1.5.2.tar.gz) = 414230
Index: patches/patch-include_yarg_h
===================================================================
RCS file: patches/patch-include_yarg_h
diff -N patches/patch-include_yarg_h
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-include_yarg_h	1 Jun 2025 12:53:18 -0000
@@ -0,0 +1,39 @@
+https://github.com/kspalaiologos/bzip3/commit/fed8ccd4c845cc4536710f4f706ff7386d8191ae
+
+Index: include/yarg.h
+--- include/yarg.h.orig
++++ include/yarg.h
+@@ -49,23 +49,25 @@ typedef struct {
+ 
+ static const char yarg_oom[] = "Out of memory";
+ static int yarg_asprintf(char ** strp, const char * fmt, ...) {
++  if (fmt == yarg_oom)
++    goto use_yarg_oom;
+   va_list ap;
+   va_start(ap, fmt);
+   int len = vsnprintf(NULL, 0, fmt, ap);
+   va_end(ap);
+-  if (len < 0) {
+-    memcpy(*strp, yarg_oom, sizeof(yarg_oom));
+-    return sizeof(yarg_oom);
+-  }
++  if (len < 0)
++    goto use_yarg_oom;
+   *strp = (char *) malloc(len + 1);
+-  if (!*strp) {
+-    memcpy(*strp, yarg_oom, sizeof(yarg_oom));
+-    return sizeof(yarg_oom);
+-  }
++  if (!*strp)
++    goto use_yarg_oom;
+   va_start(ap, fmt);
+   len = vsnprintf(*strp, len + 1, fmt, ap);
+   va_end(ap);
+   return len;
++
++use_yarg_oom:
++    *strp = (char *)yarg_oom;
++    return sizeof(yarg_oom);
+ }
+ 
+ static char * yarg_strdup(const char * str) {
Index: patches/patch-src_main_c
===================================================================
RCS file: patches/patch-src_main_c
diff -N patches/patch-src_main_c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_main_c	1 Jun 2025 12:53:18 -0000
@@ -0,0 +1,49 @@
+https://github.com/kspalaiologos/bzip3/commit/42e1cfc5e65054639517b3517dc61fb0b6d28408
+
+Index: src/main.c
+--- src/main.c.orig
++++ src/main.c
+@@ -650,6 +650,10 @@ int main(int argc, char * argv[]) {
+                         output_name = NULL;
+                     else {
+                         output_name = malloc(strlen(arg) + 5);
++                        if (!output_name) {
++                            fprintf(stderr, "Failed to allocate memory.\n");
++                            return 1;
++                        }
+                         strcpy(output_name, arg);
+                         strcat(output_name, ".bz3");
+                     }
+@@ -677,6 +681,10 @@ int main(int argc, char * argv[]) {
+                         output_name = NULL;
+                     else {
+                         output_name = malloc(strlen(arg) + 1);
++                        if (!output_name) {
++                            fprintf(stderr, "Failed to allocate memory.\n");
++                            return 1;
++                        }
+                         strcpy(output_name, arg);
+                         if (strlen(output_name) > 4 && !strcmp(output_name + strlen(output_name) - 4, ".bz3"))
+                             output_name[strlen(output_name) - 4] = 0;
+@@ -744,6 +752,10 @@ int main(int argc, char * argv[]) {
+                     output = NULL;
+                 else {
+                     output = malloc(strlen(f1) + 5);
++                    if (!output) {
++                        fprintf(stderr, "Failed to allocate memory.\n");
++                        return 1;
++                    }
+                     strcpy(output, f1);
+                     strcat(output, ".bz3");
+                 }
+@@ -760,6 +772,10 @@ int main(int argc, char * argv[]) {
+                     output = NULL;
+                 else {
+                     output = malloc(strlen(f1) + 1);
++                    if (!output) {
++                        fprintf(stderr, "Failed to allocate memory.\n");
++                        return 1;
++                    }
+                     strcpy(output, f1);
+                     if (strlen(output) > 4 && !strcmp(output + strlen(output) - 4, ".bz3"))
+                         output[strlen(output) - 4] = 0;



-- 
wbr, Kirill