Release 1.23.1

Author: daviesrob

Makefile

@@ -757,8 +757,8 @@ test/test_kfunc: test/test_kfunc.o libhts.a
 test/test_khash: test/test_khash.o libhts.a
 	$(CC) $(LDFLAGS) -o $@ test/test_khash.o libhts.a $(LIBS) -lpthread
 
-test/test_kstring: test/test_kstring.o libhts.a
-	$(CC) $(LDFLAGS) -o $@ test/test_kstring.o libhts.a $(LIBS) -lpthread
+test/test_kstring: test/test_kstring.o
+	$(CC) $(LDFLAGS) -o $@ test/test_kstring.o -lm
 
 test/test_mod: test/test_mod.o libhts.a
 	$(CC) $(LDFLAGS) -o $@ test/test_mod.o libhts.a $(LIBS) -lpthread
@@ -867,7 +867,7 @@ test/test_bgzf.o: test/test_bgzf.c config.h $(htslib_bgzf_h) $(htslib_hfile_h) $
 test/test_expr.o: test/test_expr.c config.h $(htslib_hts_expr_h)
 test/test_kfunc.o: test/test_kfunc.c config.h $(htslib_kfunc_h)
 test/test_khash.o: test/test_khash.c config.h $(htslib_khash_h) $(htslib_kroundup_h)
-test/test_kstring.o: test/test_kstring.c config.h $(htslib_kstring_h)
+test/test_kstring.o: test/test_kstring.c config.h $(htslib_kstring_h) kstring.c
 test/test_mod.o: test/test_mod.c config.h $(htslib_sam_h)
 test/test_nibbles.o: test/test_nibbles.c config.h $(htslib_sam_h) $(sam_internal_h)
 test/test-parse-reg.o: test/test-parse-reg.c config.h $(htslib_hts_h) $(htslib_sam_h)

NEWS

@@ -1,3 +1,51 @@
+Noteworthy changes in release 1.23.1 (18th March 2026)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Bug fixes
+---------
+
+* Fix a number of bugs in the CRAM decoder which could result in undefined
+  behaviour on invalid inputs (PR #1981, PR #1991):
+
+  - Not checking the amount of byte array len data returned matched the amount
+    expected. (CVE-2026-31971)
+  - Incorrect check for the length of byte array stop data. (CVE-2026-31969)
+  - Invalid use of the varint and const codecs. (CVE-2026-31968)
+  - Missing check for a valid reference ID. (CVE-2026-31965)
+  - Missing check for a valid mate reference ID. (CVE-2026-31967)
+  - Incomplete validation of CRAM feature locations.
+    (CVE-2026-31965, CVE-2026-31966)
+  - Bugs due to improper handling of records where no sequence or quality
+    values were stored (CVE-2026-31962, CVE-2026-31964)
+
+* Reject GZI indexes with impossibly-large item counts. (CVE-2026-31970)
+  (PR #1978.  Reported by Harrison Green)
+
+* Prevent the wrong item count from being written to GZI indexes of
+  empty files.
+  (PR #1988.  Reported by Matthieu Muffato)
+
+* Fix invalid behaviour if kmemmem(), kstrstr() or kstrnstr() were
+  called with a zero-length pattern, or if kstrstr() was given a very
+  long input.  Also ensure they can never fail by supplying a fallback
+  algorithm that does not allocate any memory.
+  (PR #1980.  Reported by Harrison Green)
+
+* Prevent redundant copies of hash keys in string pools.
+  (PR #1982)
+
+* Fix regressions in the S3 plugin which caused uploads to fail.
+  (PR #1984)
+
+* Disallow attempts to set the thread pool attached to an htsFile twice.
+  (PR #1985)
+
+Build Changes
+-------------
+
+* The htscodecs submodule is updated to v1.6.6.
+  (PR #1989)
+
 Noteworthy changes in release 1.23 (16th December 2025)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

annot-tsv.1

@@ -1,5 +1,5 @@
 '\" t
-.TH annot-tsv 1 "16 December 2025" "htslib-1.23" "Bioinformatics tools"
+.TH annot-tsv 1 "18 March 2026" "htslib-1.23.1" "Bioinformatics tools"
 .\"
 .\" Copyright (C) 2015, 2017-2018, 2023-2024 Genome Research Ltd.
 .\"

bgzf.c

@@ -1741,6 +1741,8 @@ int bgzf_thread_pool(BGZF *fp, hts_tpool *pool, int qsize) {
     // No gain from multi-threading when not compressed
     if (!fp->is_compressed)
         return 0;
+    if (fp->mt)
+        return -2;  //already exists!
 
     mtaux_t *mt;
     mt = (mtaux_t*)calloc(1, sizeof(mtaux_t));
@@ -1789,9 +1791,10 @@ int bgzf_mt(BGZF *fp, int n_threads, int n_sub_blks)
     if (!p)
         return -1;
 
-    if (bgzf_thread_pool(fp, p, 0) != 0) {
+    int ret = 0;
+    if ((ret = bgzf_thread_pool(fp, p, 0)) < 0) {
         hts_tpool_destroy(p);
-        return -1;
+        return ret;
     }
 
     fp->mt->own_pool = 1;
@@ -2396,10 +2399,11 @@ int bgzf_index_dump_hfile(BGZF *fp, struct hFILE *idx, const char *name)
     if (bgzf_flush(fp) != 0) return -1;
 
     // discard the entry marking the end of the file
-    if (fp->mt && fp->idx)
+    if (fp->mt && fp->idx && fp->idx->noffs > 0)
         fp->idx->noffs--;
 
-    if (hwrite_uint64(fp->idx->noffs - 1, idx) < 0) goto fail;
+    if (hwrite_uint64(fp->idx->noffs > 0 ? fp->idx->noffs - 1 : 0, idx) < 0)
+        goto fail;
     for (i=1; i<fp->idx->noffs; i++)
     {
         if (hwrite_uint64(fp->idx->offs[i].caddr, idx) < 0) goto fail;
@@ -2471,6 +2475,9 @@ int bgzf_index_load_hfile(BGZF *fp, struct hFILE *idx, const char *name)
     if (fp->idx == NULL) goto fail;
     uint64_t x;
     if (hread_uint64(&x, idx) < 0) goto fail;
+    if (x >= ((SIZE_MAX < UINT64_MAX ? SIZE_MAX : UINT64_MAX)
+              / sizeof(bgzidx1_t) / 2))
+        goto fail;
 
     fp->idx->noffs = fp->idx->moffs = x + 1;
     fp->idx->offs  = (bgzidx1_t*) malloc(fp->idx->moffs*sizeof(bgzidx1_t));

bgzip.1

@@ -1,4 +1,4 @@
-.TH bgzip 1 "16 December 2025" "htslib-1.23" "Bioinformatics tools"
+.TH bgzip 1 "18 March 2026" "htslib-1.23.1" "Bioinformatics tools"
 .SH NAME
 .PP
 bgzip \- Block compression/decompression utility

cram/cram_codecs.c

@@ -1,5 +1,5 @@
 /*
-Copyright (c) 2012-2021,2023, 2025 Genome Research Ltd.
+Copyright (c) 2012-2021,2023, 2025, 2026 Genome Research Ltd.
 Author: James Bonfield <jkb@sanger.ac.uk>
 
 Redistribution and use in source and binary forms, with or without
@@ -776,17 +776,23 @@ cram_codec *cram_varint_decode_init(cram_block_compression_hdr *hdr,
     // does not change.
     switch(codec) {
     case E_VARINT_UNSIGNED:
-        c->decode = (option == E_INT)
-            ? cram_varint_decode_int
-            : cram_varint_decode_long;
+        if (option == E_INT || option == E_SINT)
+            c->decode = cram_varint_decode_int;
+        else if (option == E_LONG || option == E_SLONG)
+            c->decode = cram_varint_decode_long;
+        else
+            goto malformed;
         break;
     case E_VARINT_SIGNED:
-        c->decode = (option == E_INT)
-            ? cram_varint_decode_sint
-            : cram_varint_decode_slong;
+        if (option == E_INT || option == E_SINT)
+            c->decode = cram_varint_decode_sint;
+        else if (option == E_LONG || option == E_SLONG)
+            c->decode = cram_varint_decode_slong;
+        else
+            goto malformed;
         break;
     default:
-        return NULL;
+        goto malformed;
     }
 
     c->free   = cram_varint_decode_free;
@@ -798,14 +804,17 @@ cram_codec *cram_varint_decode_init(cram_block_compression_hdr *hdr,
     c->u.varint.offset     = vv->varint_get64s(&cp, cp_end, NULL);
 
     if (cp - data != size) {
-        fprintf(stderr, "Malformed varint header stream\n");
-        free(c);
-        return NULL;
+        goto malformed;
     }
 
     c->u.varint.type = option;
 
     return c;
+
+ malformed:
+    hts_log_error("Malformed varint header stream");
+    free(c);
+    return NULL;
 }
 
 int cram_varint_encode_int(cram_slice *slice, cram_codec *c,
@@ -924,6 +933,9 @@ int cram_const_decode_byte(cram_slice *slice, cram_codec *c,
                            cram_block *in, char *out, int *out_size) {
     int i, n;
 
+    if (!out)
+        return 0;
+
     for (i = 0, n = *out_size; i < n; i++)
         out[i] = c->u.xconst.val;
 
@@ -978,12 +990,17 @@ cram_codec *cram_const_decode_init(cram_block_compression_hdr *hdr,
         return NULL;
 
     c->codec  = codec;
-    if (codec == E_CONST_BYTE)
+    if (codec == E_CONST_BYTE && option == E_BYTE)
         c->decode = cram_const_decode_byte;
-    else if (option == E_INT)
+    else if (codec == E_CONST_INT && (option == E_INT || option == E_SINT))
         c->decode = cram_const_decode_int;
-    else
+    else if (codec == E_CONST_INT && (option == E_LONG || option == E_SLONG))
         c->decode = cram_const_decode_long;
+    else {
+        hts_log_error("Malformed const header stream");
+        free(c);
+        return NULL;
+    }
     c->free   = cram_const_decode_free;
     c->size   = cram_const_decode_size;
     c->get_block = NULL;
@@ -1404,7 +1421,7 @@ int cram_xpack_decode_char(cram_slice *slice, cram_codec *c, cram_block *in, cha
         if (out)
             memcpy(out, b->data + b->byte, *out_size);
         b->byte += *out_size;
-    } else {
+    } else if (out) {
         memset(out, c->u.xpack.rmap[0], *out_size);
     }
 
@@ -2111,7 +2128,8 @@ int cram_xrle_decode_char(cram_slice *slice, cram_codec *c, cram_block *in, char
     cram_xrle_decode_expand_char(slice, c);
     cram_block *b = slice->block_by_id[512 + c->codec_id];
 
-    memcpy(out, b->data + b->idx, n);
+    if (out)
+        memcpy(out, b->data + b->idx, n);
     b->idx += n;
     return 0;
 
@@ -3357,14 +3375,19 @@ int cram_byte_array_len_decode(cram_slice *slice, cram_codec *c,
     int32_t len = 0, one = 1;
     int r;
 
-    r = c->u.byte_array_len.len_codec->decode(slice, c->u.byte_array_len.len_codec,
-                                              in, (char *)&len, &one);
-    //printf("ByteArray Len=%d\n", len);
+    cram_codec *len_codec = c->u.byte_array_len.len_codec;
+    cram_codec *val_codec = c->u.byte_array_len.val_codec;
 
-    if (!r && c->u.byte_array_len.val_codec && len >= 0) {
-        r = c->u.byte_array_len.val_codec->decode(slice,
-                                                  c->u.byte_array_len.val_codec,
-                                                  in, out, &len);
+    r = len_codec->decode(slice, len_codec, in, (char *)&len, &one);
+    if (len < 0 || (len > *out_size &&
+                    !(val_codec->codec == E_EXTERNAL &&
+                      val_codec->u.external.type == E_BYTE_ARRAY_BLOCK))) {
+        fprintf(stderr, "Error: overflow in cram_byte_array_len_decode.\n");
+        return -1;
+    }
+
+    if (!r && val_codec) {
+        r = val_codec->decode(slice, val_codec, in, out, &len);
     } else {
         return -1;
     }
@@ -3563,7 +3586,7 @@ cram_codec *cram_byte_array_len_encode_init(cram_stats *st,
 static int cram_byte_array_stop_decode_char(cram_slice *slice, cram_codec *c,
                                             cram_block *in, char *out,
                                             int *out_size) {
-    char *cp, ch;
+    uint8_t *cp;
     cram_block *b = NULL;
 
     b = cram_get_block_by_id(slice, c->u.byte_array_stop.content_id);
@@ -3573,31 +3596,29 @@ static int cram_byte_array_stop_decode_char(cram_slice *slice, cram_codec *c,
     if (b->idx >= b->uncomp_size)
         return -1;
 
-    cp = (char *)b->data + b->idx;
+    ssize_t term = b->uncomp_size - b->idx;
+    cp = b->data + b->idx;
     if (out) {
        // memccpy equivalent but without copying the terminating byte
-        ssize_t term = MIN(*out_size, b->uncomp_size - b->idx);
-        while ((ch = *cp) != (char)c->u.byte_array_stop.stop) {
-            if (term-- < 0)
-                break;
-            *out++ = ch;
-            cp++;
+        if (term > *out_size)
+            term = *out_size;
+        while (--term >= 0 && *cp != c->u.byte_array_stop.stop) {
+            *out++ = *cp++;
         }
 
-        // Attempted overrun on input or output
-        if (ch != (char)c->u.byte_array_stop.stop)
-            return -1;
     } else {
         // Consume input, but produce no output
-        while ((ch = *cp) != (char)c->u.byte_array_stop.stop) {
-            if (cp - (char *)b->data >= b->uncomp_size)
-                return -1;
+        while (--term >= 0 && *cp != c->u.byte_array_stop.stop) {
             cp++;
         }
     }
 
-    *out_size = cp - (char *)(b->data + b->idx);
-    b->idx = cp - (char *)b->data + 1;
+    // Attempted overrun on input or output
+    if (cp >= b->data + b->uncomp_size || *cp != c->u.byte_array_stop.stop)
+        return -1;
+
+    *out_size = cp - (b->data + b->idx);
+    b->idx = cp - b->data + 1;
 
     return 0;
 }