app-arch/bzip2: check for nselector's upperbound

[gigilibala2]

In bzip2 decompressor, the upper bound of nselectors have not been
checked and hence a bad payload can cause a segfault. This patch adds
that required upperbound check.

[gentoo-bot]

Copyright policy change

Please note that on 2018-09-15 Trustees have approved new Gentoo copyright policy. All contributions made to Gentoo need to follow this policy. If you include the Signed-off-by line in your commit message, you indicate that you have read the policy and agree to its terms. For more detailed explanation, please see the new Gentoo copyright policy explained article.

Pull Request assignment

Submitter: @gigilibala2
Areas affected: ebuilds
Packages affected: app-arch/bzip2

app-arch/bzip2: @gentoo/base-system

Linked bugs

No bugs to link found. If your pull request references any of the Gentoo bug reports, please add appropriate GLEP 66 tags to the commit message and request reassignment.

If you do not receive any reply to this pull request, please open or link a bug to attract the attention of maintainers.

Missing GCO sign-off

Please read the terms of Gentoo Certificate of Origin and acknowledge them by adding a sign-off to all your commits.

---

In order to force reassignment and/or bug reference scan, please append [please reassign] to the pull request title.

Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide

[gentoo-repo-qa-bot]

Pull request CI report

Report generated at: 2019-04-25 16:39 UTC
Newest commit scanned: 5762fca
Status: ✅ good

Issues already there before the PR (double-check them):
https://qa-reports.gentoo.org/output/gentoo-ci/4610b8c/output.html#sys-apps/likwid

[bgilbert]

This is causing decompression failures on legitimate artifacts:

bunzip2: Data integrity error when decompressing.

bunzip2 -tvv says:

[240: huff+mtf data integrity (CRC) error in data

[Whissi]

We are only aware of problems with archives created using lbzip2, see bug https://bugs.gentoo.org/686660. The problem was fixed. Of course, already created archives using affected lbzip2 version which exceeded selectors will never work again. There's nothing we can do about it and we will not drop this patch (in the meantime, new bzip2 upstream has merged a similar fix, see https://gitlab.com/federicomenaquintero/bzip2/commit/15c918f1de00588321c857a10d0afdbaf96e4ce9 and https://www.openwall.com/lists/oss-security/2019/06/03/3).

If you found another program/lib creating invalid bzip2 archives please share.

[bgilbert]

@Whissi Thanks for the explanation. You're right, the affected archives were created with lbzip2.