/* block-aio.c * * libaio-based raw disk implementation. * * (c) 2006 Andrew Warfield and Julian Chesterfield * * NB: This code is not thread-safe. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation; or, when distributed * separately from the Linux kernel or incorporated into other * software packages, subject to the following license: * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this source file (the "Software"), to deal in the Software without * restriction, including without limitation the rights to use, copy, modify, * merge, publish, distribute, sublicense, and/or sell copies of the Software, * and to permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS * IN THE SOFTWARE. */ #include #include #include #include #include #include #include #include #include #include "tapdisk.h" #include "tapaio.h" #include "blk.h" #define MAX_AIO_REQS (MAX_REQUESTS * MAX_SEGMENTS_PER_REQ) /* *BSD has no O_LARGEFILE */ #ifndef O_LARGEFILE #define O_LARGEFILE 0 #endif struct tdaio_state { int fd; tap_aio_context_t aio; }; /*Get Image size, secsize*/ static int get_image_info(struct td_state *s, int fd) { int ret; long size; unsigned long total_size; struct statvfs statBuf; struct stat stat; ret = fstat(fd, &stat); if (ret != 0) { DPRINTF("ERROR: fstat failed, Couldn't stat image"); return -EINVAL; } if (S_ISBLK(stat.st_mode)) { /*Accessing block device directly*/ if (blk_getimagesize(fd, &s->size) != 0) return -EINVAL; DPRINTF("Image size: \n\tpre sector_shift [%llu]\n\tpost " "sector_shift [%llu]\n", (long long unsigned)(s->size << SECTOR_SHIFT), (long long unsigned)s->size); /*Get the sector size*/ if (blk_getsectorsize(fd, &s->sector_size) != 0) s->sector_size = DEFAULT_SECTOR_SIZE; } else { /*Local file? try fstat instead*/ s->size = (stat.st_size >> SECTOR_SHIFT); s->sector_size = DEFAULT_SECTOR_SIZE; DPRINTF("Image size: \n\tpre sector_shift [%llu]\n\tpost " "sector_shift [%llu]\n", (long long unsigned)(s->size << SECTOR_SHIFT), (long long unsigned)s->size); } if (s->size == 0) { s->size =((uint64_t) 16836057); s->sector_size = DEFAULT_SECTOR_SIZE; } s->info = 0; return 0; } static inline void init_fds(struct disk_driver *dd) { int i; struct tdaio_state *prv = (struct tdaio_state *)dd->private; for(i = 0; i < MAX_IOFD; i++) dd->io_fd[i] = 0; dd->io_fd[0] = prv->aio.aio_ctx.pollfd; } /* Open the disk file and initialize aio state. */ static int tdaio_open (struct disk_driver *dd, const char *name, td_flag_t flags) { int i, fd, ret = 0, o_flags; struct td_state *s = dd->td_state; struct tdaio_state *prv = (struct tdaio_state *)dd->private; DPRINTF("block-aio open('%s')", name); /* Initialize AIO */ ret = tap_aio_init(&prv->aio, 0, MAX_AIO_REQS); if (ret != 0) return ret; /* Open the file */ o_flags = O_DIRECT | O_LARGEFILE | ((flags == TD_RDONLY) ? O_RDONLY : O_RDWR); fd = open(name, o_flags); if ( (fd == -1) && (errno == EINVAL) ) { /* Maybe O_DIRECT isn't supported. */ o_flags &= ~O_DIRECT; fd = open(name, o_flags); if (fd != -1) DPRINTF("WARNING: Accessing image without" "O_DIRECT! (%s)\n", name); } else if (fd != -1) DPRINTF("open(%s) with O_DIRECT\n", name); if (fd == -1) { DPRINTF("Unable to open [%s] (%d)!\n", name, 0 - errno); ret = 0 - errno; goto done; } prv->fd = fd; init_fds(dd); ret = get_image_info(s, fd); done: return ret; } static int tdaio_queue_read(struct disk_driver *dd, uint64_t sector, int nb_sectors, char *buf, td_callback_t cb, int id, void *private) { struct td_state *s = dd->td_state; struct tdaio_state *prv = (struct tdaio_state *)dd->private; int size = nb_sectors * s->sector_size; uint64_t offset = sector * (uint64_t)s->sector_size; return tap_aio_read(&prv->aio, prv->fd, size, offset, buf, cb, id, sector, private); } static int tdaio_queue_write(struct disk_driver *dd, uint64_t sector, int nb_sectors, char *buf, td_callback_t cb, int id, void *private) { struct td_state *s = dd->td_state; struct tdaio_state *prv = (struct tdaio_state *)dd->private; int size = nb_sectors * s->sector_size; uint64_t offset = sector * (uint64_t)s->sector_size; return tap_aio_write(&prv->aio, prv->fd, size, offset, buf, cb, id, sector, private); } static int tdaio_submit(struct disk_driver *dd) { struct tdaio_state *prv = (struct tdaio_state *)dd->private; return tap_aio_submit(&prv->aio); } static int tdaio_close(struct disk_driver *dd) { struct tdaio_state *prv = (struct tdaio_state *)dd->private; io_destroy(prv->aio.aio_ctx.aio_ctx); close(prv->fd); return 0; } static int tdaio_do_callbacks(struct disk_driver *dd, int sid) { in
From 812a898b7622de90e98f103ff7fed0984e4548e4 Mon Sep 17 00:00:00 2001
From: Mark Wielaard <mark@klomp.org>
Date: Wed, 3 Jul 2019 01:28:11 +0200
Subject: [PATCH] Accept as many selectors as the file format allows.

But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS.

The theoretical maximum number of selectors depends on the maximum
blocksize (900000 bytes) and the number of symbols (50) that can be
encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002.

But the bzip2 file format allows the number of selectors to be encoded
with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in
14 bits). So the file format maximum is 32767 selectors.

Some bzip2 encoders might actually have written out more selectors
than the theoretical maximum because they rounded up the number of
selectors to some convenient factor of 8.

The extra 14766 selectors can never be validly used by the decompression
algorithm. So we can read them, but then discard them.

This is effectively what was done (by accident) before we added a
check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate
CVE-2019-12900.

The extra selectors were written out after the array inside the
EState struct. But the struct has extra space allocated after the
selector arrays of 18060 bytes (which is larger than 14766).
All of which will be initialized later (so the overwrite of that
space with extra selector values would have been harmless).
---
 compress.c   |  2 +-
 decompress.c | 10 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

--- a/compress.c
+++ b/compress.c
@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s )

    AssertH( nGroups < 8, 3002 );
    AssertH( nSelectors < 32768 &&
-            nSelectors <= (2 + (900000 / BZ_G_SIZE)),
+            nSelectors <= BZ_MAX_SELECTORS,
             3003 );


--- a/decompress.c
+++ b/decompress.c
@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s )
             j++;
             if (j >= nGroups) RETURN(BZ_DATA_ERROR);
          }
-         s->selectorMtf[i] = j;
+         /* Having more than BZ_MAX_SELECTORS doesn't make much sense
+            since they will never be used, but some implementations might
+            "round up" the number of selectors, so just ignore those. */
+         if (i < BZ_MAX_SELECTORS)
+           s->selectorMtf[i] = j;
       }
+      if (nSelectors > BZ_MAX_SELECTORS)
+        nSelectors = BZ_MAX_SELECTORS;

       /*--- Undo the MTF values for the selectors. ---*/
       {
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-30 01:39:33 +0000