...
- 3.1.9 DWA read issue
- There was a Slack discussion regarding broken DWA file read introduced in 3.1.9 by PR #1439. Nick has a fix that works, shared on the channel.
- Larry: are we convinced that is the right solution?
- Nick: I didn’t exhaustively check each comparison, just changed all of them and now I can load the files. But hoping someone who wrote the code might have an opinion as to whether the change is legitimate. Planning to submit a PR soon.
- Comparison to catch overrun in the fuzzing. It solves the CVE by preventing writing over the end of the buffer. Think it is fine but it highlights that we might need more checking on the DW compressed files in general. Unit test didn’t catch that we couldn’t open those files. S
- Larry: spuriously failing by thinking it was corrupt. But difficult to tell that deep in the code whether it was correct.
- Peter: 2 buffers it was checking. At end of both it’s ok but if not at the end of both, file is not ok. Maybe change it put in PR and have Kimball review then re-fuzz it.
- Larry: reveals gap in our testing policy.
- Peter: may have worked with some DWA compressed files and not others.
- Nick: may be rare but the file Larry shared triggered it.
- Peter: test suite tests the compression work but not with a real file.
- Nick: we have 6 images but one per settings permutation. Not sufficient. Not sure if it’s adequate to just generate more compressed images.
- Cary: fuzzing is more realistic approach.
...