Hi Salvatore, On Sun, 2019-06-30 at 19:28 +0200, Salvatore Bonaccorso wrote: > Testing and feedback appreciated. > > it is not very helpfull I think, because I do not have a good testing > corpus. What I did is to apply the patch on top of our current > 1.0.6-9.1 (which has the issue after fixing CVE-2019-12900), and > tested it with the problematic file from > https://developer.nvidia.com/embedded/dlc/l4t-jetson-xavier-driver-package-31-1-0 > . > > But apart from that I do not have at them moment better feedback :(
That is already great feedback thanks. But you are right that it would be good to have a better testing corpus. It isn't much, but I have setup an initial bzip2 test suite: https://sourceware.org/git/?p=bzip2-tests.git;a=summary It is a little bare bones right now, but the README will hopefully help to see how to run it on some other collection of .bz2 files. It does already contain a testcase that still fails with the proposed patch. It is a really odd corner case, but since we accepted it in the past, we should really make sure it works in the future too. I'll discuss an alternative patch upstream. Cheers, Mark
