Lasse Collin [Mon, 7 Apr 2025 19:36:58 +0000 (22:36 +0300)]
liblzma: Disable CLMUL CRC on old MSVC targeting 32-bit x86
On GitHub runners, VS 2019 16.11 (MSVC 19.29.30158) results in
test failures. VS 2022 17.13 (MSVC 19.43.34808) works.
In xz 5.6.x there was a #pragma-based workaround for MSVC builds for
32-bit x86. Another method was thought to work with the new rewritten
CLMUL CRC. Apparently it doesn't. Keep it simple and disable CLMUL CRC
with any non-recent MSVC when building for 32-bit x86.
Fixes: 54eaea5ea49b ("liblzma: x86 CLMUL CRC: Rewrite") Fixes: https://github.com/tukaani-project/xz/issues/171 Reported-by: Andrew Murray
Lasse Collin [Thu, 3 Apr 2025 11:34:43 +0000 (14:34 +0300)]
Tests: Call lzma_code() in smaller chunks in fuzz_common.h
This makes it easy to crash fuzz_decode_stream_mt when tested
against the code from 5.8.0.
Obviously this might make it harder to reach some other code path now.
The previous code has been in use since 2018 when fuzzing was added
in 106d1a663d4b ("Tests: Add a fuzz test program and a config file
for OSS-Fuzz.").
Lasse Collin [Thu, 3 Apr 2025 11:34:43 +0000 (14:34 +0300)]
Tests: Add a fuzzing target for the multithreaded .xz decoder
It doesn't seem possible to trigger the CVE-2025-31115 bug with this
fuzzing target at the moment. It's because the code in fuzz_common.h
passes the whole input buffer to lzma_code() at once.
Lasse Collin [Thu, 3 Apr 2025 11:34:42 +0000 (14:34 +0300)]
liblzma: mt dec: Fix lack of parallelization in single-shot decoding
Single-shot decoding means calling lzma_code() by giving it the whole
input at once and enough output buffer space to store the uncompressed
data, and combining this with LZMA_FINISH and no timeout
(lzma_mt.timeout = 0). This way the file is decoded with a single
lzma_code() call if possible.
The bug prevented the decoder from starting more than one worker thread
in single-shot mode. The issue was noticed when reviewing the code;
there are no bug reports. Thus maybe few have tried this mode.
Fixes: 64b6d496dc81 ("liblzma: Threaded decoder: Always wait for output if LZMA_FINISH is used.")
Lasse Collin [Thu, 3 Apr 2025 11:34:42 +0000 (14:34 +0300)]
liblzma: mt dec: Don't modify thr->in_size in the worker thread
Don't set thr->in_size = 0 when returning the thread to the stack of
available threads. Not only is it useless, but the main thread may
read the value in SEQ_BLOCK_THR_RUN. With valid inputs, it made
no difference if the main thread saw the original value or 0. With
invalid inputs (when worker thread stops early), thr->in_size was
no longer modified after the previous commit with the security fix
("Don't free the input buffer too early").
So while the bug appears harmless now, it's important to fix it because
the variable was being modified without proper locking. It's trivial
to fix because there is no need to change the value. Only main thread
needs to set the value in (in SEQ_BLOCK_THR_INIT) when starting a new
Block before the worker thread is activated.
Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.") Reviewed-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thanks-to: Sam James <sam@gentoo.org>
Lasse Collin [Thu, 3 Apr 2025 11:34:42 +0000 (14:34 +0300)]
liblzma: mt dec: Don't free the input buffer too early (CVE-2025-31115)
The input buffer must be valid as long as the main thread is writing
to the worker-specific input buffer. Fix it by making the worker
thread not free the buffer on errors and not return the worker thread to
the pool. The input buffer will be freed when threads_end() is called.
With invalid input, the bug could at least result in a crash. The
effects include heap use after free and writing to an address based
on the null pointer plus an offset.
The bug has been there since the first committed version of the threaded
decoder and thus affects versions from 5.3.3alpha to 5.8.0.
As the commit message in 4cce3e27f529 says, I had made significant
changes on top of Sebastian's patch. This bug was indeed introduced
by my changes; it wasn't in Sebastian's version.
Thanks to Harri K. Koskinen for discovering and reporting this issue.
Fixes: 4cce3e27f529 ("liblzma: Add threaded .xz decompressor.") Reported-by: Harri K. Koskinen <x64nop@nannu.org> Reviewed-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thanks-to: Sam James <sam@gentoo.org>
Lasse Collin [Thu, 3 Apr 2025 11:34:42 +0000 (14:34 +0300)]
liblzma: mt dec: Simplify by removing the THR_STOP state
The main thread can directly set THR_IDLE in threads_stop() which is
called when errors are detected. threads_stop() won't return the stopped
threads to the pool or free the memory pointed by thr->in anymore, but
it doesn't matter because the existing workers won't be reused after
an error. The resources will be cleaned up when threads_end() is
called (reinitializing the decoder always calls threads_end()).
Reviewed-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Thanks-to: Sam James <sam@gentoo.org>
Lasse Collin [Sat, 29 Mar 2025 10:41:32 +0000 (12:41 +0200)]
sysdefs.h: Avoid <stdalign.h> even with C11 compilers
Oracle Developer Studio 12.6 on Solaris 10 claims C11 support in
__STDC_VERSION__ and supports _Alignas. However, <stdalign.h> is missing.
We only need alignas, so define it to _Alignas with C11/C17 compilers.
If something included <stdalign.h> later, it shouldn't cause problems.
Thanks to Ihsan Dogan for reporting the issue and testing the fix.
Lasse Collin [Tue, 25 Mar 2025 13:18:31 +0000 (15:18 +0200)]
Translations: Run "make -C po update-po"
POT-Creation-Date is set to match the timestamp in 5.7.2beta which
in the Translation Project is known as 5.8.0-pre1. The strings
haven't changed since 5.7.1alpha but a few comments have.
This is a very noisy commit, but this helps keeping the PO files
similar between the Git repository and stable release tarballs.
Lasse Collin [Tue, 25 Mar 2025 13:18:31 +0000 (15:18 +0200)]
Translations: Partially fix overtranslation in Serbian man pages
Names of environment variables and some other strings must be present
in the original form. The translator couldn't be reached so I'm
changing some of the strings myself. In the "Robot mode" section,
occurrences in the middle of sentences weren't changed to reduce
the chance of grammar breakage, but I kept the translated strings in
parenthesis in the headings. It's not ideal, but now people shouldn't
need to look at the English man page to find the English strings.
Lasse Collin [Tue, 25 Mar 2025 13:18:31 +0000 (15:18 +0200)]
liblzma: Use SSE2 intrinsics instead of memcpy() in dict_repeat()
SSE2 is supported on every x86-64 processor. The SSE2 code is used on
32-bit x86 if compiler options permit unconditional use of SSE2.
dict_repeat() copies short random-sized unaligned buffers. At least
on glibc, FreeBSD, and Windows (MSYS2, UCRT, MSVCRT), memcpy() is
clearly faster than byte-by-byte copying in this use case. Compared
to the memcpy() version, the new SSE2 version reduces decompression
time by 0-5 % depending on the machine and libc. It should never be
slower than the memcpy() version.
However, on musl 1.2.5 on x86-64, the memcpy() version is the slowest.
Compared to the memcpy() version:
- The byte-by-version takes 6-7 % less time to decompress.
- The SSE2 version takes 16-18 % less time to decompress.
The numbers are from decompressing a Linux kernel source tarball in
single-threaded mode on older AMD and Intel systems. The tarball
compresses well, and thus dict_repeat() performance matters more
than with some other files.
Lasse Collin [Tue, 25 Mar 2025 13:18:31 +0000 (15:18 +0200)]
liblzma: Add "restrict" to a few functions in lz_decoder.h
This doesn't make any difference in practice because compilers can
already see that writing through the dict->buf pointer cannot modify
the contents of *dict itself: The LZMA decoder makes a local copy of
the lzma_dict structure, and even if it didn't, the pointer to
lzma_dict in the LZMA decoder is already "restrict".
It's nice to add "restrict" anyway. uint8_t is typically unsigned char
which can alias anything. Without the above conditions or "restrict",
compilers could need to assume that writing through dict->buf might
modify *dict. This would matter in dict_repeat() because the loops
refer to dict->buf and dict->pos instead of making local copies of
those members for the duration of the loops. If compilers had to
assume that writing through dict->buf can affect *dict, then compilers
would need to emit code that reloads dict->buf and dict->pos after
every write through dict->buf.
Lasse Collin [Mon, 10 Mar 2025 11:13:30 +0000 (13:13 +0200)]
CMake: Fix tuklib_use_system_extensions
Revert back to a macro so that list(APPEND CMAKE_REQUIRED_DEFINITIONS)
will affect the calling scope. I had forgotten that while CMake
functions inherit the variables from the parent scope, the changes
to them are local unless using set(... PARENT_SCOPE).
This also means that the commit message in 5bb77d0920dc is wrong. The
commit itself is still fine, making it clearer that -DHAVE_SYS_PARAM_H
is only needed for specific check_c_source_compiles() calls.
Lasse Collin [Sun, 9 Mar 2025 12:06:35 +0000 (14:06 +0200)]
CMake: Revise tuklib_use_system_extensions
Define NetBSD and Darwin/macOS feature test macros. Autoconf defines
these too (and a few others).
Define the macros on Windows except with MSVC. The _GNU_SOURCE macro
makes a difference with mingw-w64.
Use a function instead of a macro. Don't take the TARGET_OR_ALL argument
because there's always global effect because the global variable
CMAKE_REQUIRED_DEFINITIONS is modified.
Lasse Collin [Thu, 6 Mar 2025 15:37:39 +0000 (17:37 +0200)]
Docs: Add a few TRANSLATORS comments to man pages
All translators know that --command-line-options must not be translated.
With some other strings it's not obvious when the untranslated string
must be preserved. These comments hopefully help.
Lasse Collin [Thu, 6 Mar 2025 14:34:32 +0000 (16:34 +0200)]
Scripts: Mark the LZMA Utils script aliases as deprecated
The deprecated aliases are lzcmp, lzdiff, lzless, lzmore,
lzgrep, lzegrep, and lzfgrep. The commands that start with
the xz prefix have identical behavior, for example, both
lzgrep and xzgrep handle all supported file formats.
This doesn't affect lzma, unlzma, lzcat, lzmadec, or lzmainfo.
The last release of LZMA Utils was made in 2008, but the lzma
compatibility alias for the gzip-like tool is still in common use.
Deprecating it would cause unnecessary breakage.
Lasse Collin [Mon, 17 Feb 2025 19:46:15 +0000 (21:46 +0200)]
Build: Fix out-of-tree builds when using the replacement getopt_long
Nowaways $(top_builddir)/lib/getopt.h depends on headers in
$(top_srcdir)/lib, so both have to be in the include path.
CMake-based build already did this.
Lasse Collin [Mon, 17 Feb 2025 16:11:58 +0000 (18:11 +0200)]
Build: Allow forcing the use of the replacement getopt_long
Now one can pass gl_replace_getopt=yes to configure to force the use
of GNU getopt_long from the lib directory. This only checks that the
value of gl_replace_getopt is non-empty, so one cannot force the
replacement to be disabled.
Lasse Collin [Mon, 3 Feb 2025 14:15:38 +0000 (16:15 +0200)]
Translations: Update Chinese (traditional) translation
Since there are no spaces between words, the unsophisticated automatic
word wrapping code needs some help. Compared to the version in the
Translation Project, I added a few \t characters which the word
wrapping code interprets as zero width spaces (hopefully they are
placed correctly). These edits can be seen with this command:
Lasse Collin [Sun, 2 Feb 2025 12:15:07 +0000 (14:15 +0200)]
Build: Update posix-shell.m4 from Gnulib
Tabs have been converted to spaces and a "serial" number has been
added. The previous version was from 2008/2009. There are no functional
changes since then but now it's clearer that the copy in XZ Utils
isn't outdated.
The new file was picked from the Gnulib commit 81a4c1e3b7692e95c0806d948cbab9148ad85ef2. A later commit adds
a warranty disclaimer to the license, which obviously is fine,
but I didn't find a SPDX license identifier for the new license,
so for simplicity I used the earlier commit.
Lasse Collin [Sun, 2 Feb 2025 10:51:03 +0000 (12:51 +0200)]
Build: Check for -fsanitize= also in $CC
People may put -fsanitize in CC instead of CFLAGS so check both.
Landlock sandbox isn't compatible with sanitizers so it's nice
to catch the incompatible options at configure time.
Don't attempt to do the same in CMakeLists.txt; the check for
CMAKE_C_FLAGS / CFLAGS shall be enough there. The extra flags from
the CC environment variable go into the undocumented internal variable
CMAKE_C_COMPILER_ARG1 (all flags from CC go into that same variable).
Peeking the internal variable merely for improved diagnostics isn't
worth it.
projects / thirdparty / xz.git / log
