Release 1.22.1

Author: daviesrob

.cirrus.yml

@@ -76,7 +76,7 @@ gcc_task:
     - environment:
        USE_CONFIG: yes
        # ubsan is incompatible with some -Wformat opts so we do that on clang.
-       CFLAGS: -g -O3 -fsanitize=address,undefined -DHTS_ALLOW_UNALIGNED=0 -Wno-format-truncation -Wno-format-overflow
+       CFLAGS: -g -Og -fsanitize=address,undefined -DHTS_ALLOW_UNALIGNED=0 -Wno-format-truncation -Wno-format-overflow
        LDFLAGS: -fsanitize=address,undefined
        USE_LIBDEFLATE: yes
        UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1

NEWS

@@ -1,3 +1,46 @@
+Noteworthy changes in release 1.22.1 (14th July 2025)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Bug Fixes
+---------
+
+* SECURITY fix: Prevent CRAM byte_array decoder from overflowing its output
+  buffer.  This could be triggered by certain malformed CRAM inputs.
+  (PR #1934)
+
+* Two fixes for crashes reported when trying to save data with very long
+  alignment records with sequence '*' as CRAM 3.1:
+
+  - The htscodecs submodule is updated to v1.6.4.
+    This includes a fix to the rANS encoder to prevent it from failing on
+    these inputs.
+    (PR #1935.  Reported by Martin Pollard)
+
+  - Improved error handling in cram_compress_block2().  If the previously-chosen
+    CRAM compression method starts to fail, it will now try other methods
+    instead of giving up immediately.
+    (PR #1931.  Reported by Martin Pollard)
+
+
+* Fix warnings due to the wrong datatype being passed to curl_easy_setopt()
+  (PR #1925.  Thanks to John Marshall)
+
+* Prevent instances of `memcpy(out, NULL, 0)`, which is strictly undefined
+  behaviour.
+  (PR #1930.  Thanks to Ben Lawrence).
+
+Build Changes
+-------------
+
+* Fixed compilation against older glibc / macOS SDKs that incorrectly
+  suppressed some symbols if _XOPEN_SOURCE was defined.
+  (PR #1928.  Reported by John Marshall)
+
+* Fixed ref-cache configure check for libcurl, so that if libcurl is
+  not available, or turned off by `./configure --disable-libcurl`,
+  the `ref-cache` build will be automatically disabled as well.
+  (PR #1929, fixes #1926.  Reported by biounix)
+
 Noteworthy changes in release 1.22 (30th May 2025)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

annot-tsv.1

@@ -1,5 +1,5 @@
 '\" t
-.TH annot-tsv 1 "30 May 2025" "htslib-1.22" "Bioinformatics tools"
+.TH annot-tsv 1 "14 July 2025" "htslib-1.22.1" "Bioinformatics tools"
 .\"
 .\" Copyright (C) 2015, 2017-2018, 2023-2024 Genome Research Ltd.
 .\"

bgzip.1

@@ -1,4 +1,4 @@
-.TH bgzip 1 "30 May 2025" "htslib-1.22" "Bioinformatics tools"
+.TH bgzip 1 "14 July 2025" "htslib-1.22.1" "Bioinformatics tools"
 .SH NAME
 .PP
 bgzip \- Block compression/decompression utility

configure.ac

@@ -645,7 +645,7 @@ AS_IF([test "x$enable_ref_cache" != xno],
   [AS_CASE([$PLATFORM],
      [Darwin | default],[
         AS_IF([test "x$libcurl" = xenabled], [ref_cache="enabled"], [
-          AS_IF([test "x$enable_ref_cache" = check], [
+          AS_IF([test "x$enable_ref_cache" = xcheck], [
             AC_MSG_WARN([ref-cache not enabled: requires libcurl])
           ],[
             MSG_ERROR([ref-cache not enabled

cram/cram_codecs.c

@@ -3575,12 +3575,18 @@ static int cram_byte_array_stop_decode_char(cram_slice *slice, cram_codec *c,
 
     cp = (char *)b->data + b->idx;
     if (out) {
+       // memccpy equivalent but without copying the terminating byte
+        ssize_t term = MIN(*out_size, b->uncomp_size - b->idx);
         while ((ch = *cp) != (char)c->u.byte_array_stop.stop) {
-            if (cp - (char *)b->data >= b->uncomp_size)
-                return -1;
+            if (term-- < 0)
+                break;
             *out++ = ch;
             cp++;
         }
+
+        // Attempted overrun on input or output
+        if (ch != (char)c->u.byte_array_stop.stop)
+            return -1;
     } else {
         // Consume input, but produce no output
         while ((ch = *cp) != (char)c->u.byte_array_stop.stop) {

cram/cram_decode.c

@@ -1275,7 +1275,7 @@ static int cram_decode_seq(cram_fd *fd, cram_container *c, cram_slice *s,
 
         switch(op) {
         case 'S': { // soft clip: IN
-            int32_t out_sz2 = 1;
+            int32_t out_sz2 = cr->len ? cr->len-(pos-1) : 1;
             int have_sc = 0;
 
             if (cig_len) {
@@ -1431,7 +1431,7 @@ static int cram_decode_seq(cram_fd *fd, cram_container *c, cram_slice *s,
         }
 
         case 'I': { // Insertion (several bases); IN
-            int32_t out_sz2 = 1;
+            int32_t out_sz2 = cr->len ? cr->len-(pos-1) : 1;
 
             if (cig_len && cig_op != BAM_CINS) {
                 cigar[ncigar++] = (cig_len<<4) + cig_op;
@@ -1473,7 +1473,7 @@ static int cram_decode_seq(cram_fd *fd, cram_container *c, cram_slice *s,
         }
 
         case 'b': { // Several bases
-            int32_t len = 1;
+            int32_t len = cr->len ? cr->len-(pos-1) : 1;
 
             if (cig_len && cig_op != BAM_CMATCH) {
                 cigar[ncigar++] = (cig_len<<4) + cig_op;
@@ -1523,7 +1523,7 @@ static int cram_decode_seq(cram_fd *fd, cram_container *c, cram_slice *s,
         }
 
         case 'q': { // Several quality values
-            int32_t len = 1;
+            int32_t len = cr->len ? cr->len - (pos-1) : 1;
 
             if (cig_len && cig_op != BAM_CMATCH) {
                 cigar[ncigar++] = (cig_len<<4) + cig_op;
@@ -2298,9 +2298,13 @@ int cram_decode_slice(cram_fd *fd, cram_container *c, cram_slice *s,
     // However it's likely that this also saves memory as own growth
     // factor (*=1.5) is never applied.
     {
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        int qsize=0, nsize=0, q_id=0;
+#else
         int qsize, nsize, q_id;
         cram_decode_estimate_sizes(c->comp_hdr, s, &qsize, &nsize, &q_id);
         //fprintf(stderr, "qsize=%d nsize=%d\n", qsize, nsize);
+#endif
 
         if (qsize && (ds & CRAM_RL)) BLOCK_RESIZE_EXACT(s->seqs_blk, qsize+1);
         if (qsize && (ds & CRAM_RL)) BLOCK_RESIZE_EXACT(s->qual_blk, qsize+1);
@@ -2639,7 +2643,7 @@ int cram_decode_slice(cram_fd *fd, cram_container *c, cram_slice *s,
         cr->name_len = 0;
 
         if (c->comp_hdr->read_names_included) {
-            int32_t out_sz2 = 1;
+            int32_t out_sz2 = 1; // block auto grows in decode()
 
             // Read directly into name cram_block
             cr->name = BLOCK_SIZE(s->name_blk);
@@ -2800,15 +2804,15 @@ int cram_decode_slice(cram_fd *fd, cram_container *c, cram_slice *s,
         /* Fake up dynamic string growth and appending */
         if (ds & CRAM_RL) {
             cr->seq = BLOCK_SIZE(s->seqs_blk);
-            BLOCK_GROW(s->seqs_blk, cr->len);
+            BLOCK_RESIZE(s->seqs_blk, cr->seq + cr->len);
             seq = (char *)BLOCK_END(s->seqs_blk);
             BLOCK_SIZE(s->seqs_blk) += cr->len;
 
             if (!seq)
                 goto block_err;
 
             cr->qual = BLOCK_SIZE(s->qual_blk);
-            BLOCK_GROW(s->qual_blk, cr->len);
+            BLOCK_RESIZE(s->qual_blk, cr->qual + cr->len);
             qual = (char *)BLOCK_END(s->qual_blk);
             BLOCK_SIZE(s->qual_blk) += cr->len;
 

cram/cram_io.c

@@ -1899,24 +1899,21 @@ static char *cram_compress_by_method(cram_slice *s, char *in, size_t in_size,
     return NULL;
 }
 
-
 /*
- * Compresses a block using one of two different zlib strategies. If we only
- * want one choice set strat2 to be -1.
- *
- * The logic here is that sometimes Z_RLE does a better job than Z_FILTERED
- * or Z_DEFAULT_STRATEGY on quality data. If so, we'd rather use it as it is
- * significantly faster.
- *
- * Method and level -1 implies defaults, as specified in cram_fd.
+ * A copy of cram_compress_block2 with added recursion detection.
+ * This is only called for error handling where the auto-tuning has failed.
+ * The simplest way of doing this is recusion + an additional argument, but
+ * we didn't want to complicate the existing code hence this is static.
  */
-int cram_compress_block2(cram_fd *fd, cram_slice *s,
-                         cram_block *b, cram_metrics *metrics,
-                         int method, int level) {
+static int cram_compress_block3(cram_fd *fd, cram_slice *s,
+                                cram_block *b, cram_metrics *metrics,
+                                int method, int level,
+                                int recurse) {
 
     if (!b)
         return 0;
 
+    int orig_method = method;
     char *comp = NULL;
     size_t comp_size = 0;
     int strat;
@@ -2249,8 +2246,23 @@ int cram_compress_block2(cram_fd *fd, cram_slice *s,
                                            b->content_id, &comp_size, method,
                                            method == GZIP_1 ? 1 : level,
                                            strat);
-            if (!comp)
+            if (!comp) {
+                // Our cached best method failed, but maybe another works?
+                // Rerun with trial mode engaged again.
+                if (!recurse) {
+                    hts_log_warning("Compressed block ID %d method %s failed, "
+                                    "redoing trial", b->content_id,
+                                    cram_block_method2str(method));
+                    pthread_mutex_lock(&fd->metrics_lock);
+                    metrics->trial = NTRIALS;
+                    metrics->next_trial = TRIAL_SPAN;
+                    metrics->revised_method = orig_method;
+                    pthread_mutex_unlock(&fd->metrics_lock);
+                    return cram_compress_block3(fd, s, b, metrics, method,
+                                                level, 1);
+                }
                 return -1;
+            }
 
             if (comp_size < b->uncomp_size) {
                 free(b->data);
@@ -2290,6 +2302,19 @@ int cram_compress_block2(cram_fd *fd, cram_slice *s,
 
     return 0;
 }
+
+/*
+ * Compresses a block using a selection of compression codecs and options.
+ * The best is learnt and used for subsequent slices, periodically resampling.
+ *
+ * Method and level -1 implies defaults, as specified in cram_fd.
+ */
+int cram_compress_block2(cram_fd *fd, cram_slice *s,
+                         cram_block *b, cram_metrics *metrics,
+                         int method, int level) {
+    return cram_compress_block3(fd, s, b, metrics, method, level, 0);
+}
+
 int cram_compress_block(cram_fd *fd, cram_block *b, cram_metrics *metrics,
                         int method, int level) {
     return cram_compress_block2(fd, NULL, b, metrics, method, level);

cram/cram_io.h

@@ -227,6 +227,12 @@ static inline int block_resize(cram_block *b, size_t len) {
     if (b->alloc > len)
         return 0;
 
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    // Removal of extra padding causes many more reallocs, but detects
+    // more buffer overruns.
+    return block_resize_exact(b, len?len:1);
+#endif
+
     size_t alloc = b->alloc+800;
     alloc = MAX(alloc + (alloc>>2), len);
     return block_resize_exact(b, alloc);

hfile_libcurl.c

@@ -1222,7 +1222,8 @@ libcurl_open(const char *url, const char *modes, http_headers *headers)
 
     // Avoid many repeated CWD calls with FTP, instead requesting the filename
     // by full path (but not strictly compliant with RFC1738).
-    err |= curl_easy_setopt(fp->easy, CURLOPT_FTP_FILEMETHOD, CURLFTPMETHOD_NOCWD);
+    err |= curl_easy_setopt(fp->easy, CURLOPT_FTP_FILEMETHOD,
+                            (long) CURLFTPMETHOD_NOCWD);
 
     if (mode == 'r') {
         err |= curl_easy_setopt(fp->easy, CURLOPT_WRITEFUNCTION, recv_callback);