Hey Mark! On Mon, Jul 01, 2019 at 12:33:06AM +0200, Mark Wielaard wrote: > Hi Salvatore, > > On Sun, 2019-06-30 at 19:28 +0200, Salvatore Bonaccorso wrote: > > Testing and feedback appreciated. > > > > it is not very helpfull I think, because I do not have a good testing > > corpus. What I did is to apply the patch on top of our current > > 1.0.6-9.1 (which has the issue after fixing CVE-2019-12900), and > > tested it with the problematic file from > > > https://developer.nvidia.com/embedded/dlc/l4t-jetson-xavier-driver-package-31-1-0 > > . > > > > But apart from that I do not have at them moment better feedback :( > > That is already great feedback thanks. > > But you are right that it would be good to have a better testing > corpus. It isn't much, but I have setup an initial bzip2 test suite: > https://sourceware.org/git/?p=bzip2-tests.git;a=summary > > It is a little bare bones right now, but the README will hopefully help > to see how to run it on some other collection of .bz2 files. > > It does already contain a testcase that still fails with the proposed > patch. It is a really odd corner case, but since we accepted it in the > past, we should really make sure it works in the future too. > > I'll discuss an alternative patch upstream.
Thanks. For context here in the bug, the alternative apporach patch is posted at https://sourceware.org/ml/bzip2-devel/2019-q2/msg00035.html . Regards, Salvatore
