libchdr v0.3.0

First formally tagged release. libchdr has been depended on by RetroArch, DuckStation, Flycast, SwanStation, ps3netsrv-go and others for years; this tag exists so Linux distros (Debian, Ubuntu, Arch, Fedora, OpenBSD, …) can ship a stable reference point instead of dated git20…+dfsg snapshots.

Highlights

Security hardening

v1/v2 header hunkbytes now computed in uint64_t; rejects malformed CHDs where the uint32 multiplication would wrap and drive an undersized hunk allocation.
metadata_find_entry traversal capped at 65536 entries; malformed CHDs with cyclic next-pointer chains no longer produce an unbounded seek+read loop.
totalhunks capped to file_size * 8; malformed headers can no longer trigger multi-GB malloc() in decompress_v5_map / map_read (found by the in-tree libFuzzer corpus).
chd_get_metadata fallback switched from sprintf to snprintf.
dr_flac updated to 0.13.3 — ships the fix for CVE-2025-14369 (integer overflow DoS).
Additional memory and overflow fixes via #132.

Portability

Builds cleanly under -std=c11 -Werror=implicit-function-declaration (strict libc with no GNU extensions) — closes #92.
32-bit Linux time64 rebuild works without out-of-tree patches — closes #117. fseeko64/ftello64 branch removed; LFS-aliased fseeko/ftello used everywhere glibc-like.
chd_read_header_core_file_callbacks now works for CHDv1–v3 — closes #146.

Capacity

CHD_MAX_FILE_SIZE bumped from 10 GB → 1 TB. Legitimate BD50 PS3 ISOs now open — closes #147.

Packaging

CMakeLists.txt project(chdr VERSION 0.3.0). SOVERSION = 0, so the installed SONAME is still libchdr.so.0 — Debian libchdr0 / Ubuntu packages do not rename.
pkg-config libchdr.pc now emits full MAJOR.MINOR.PATCH so downstreams can pin against patch releases.
Installed public header set restricted to include/libchdr/; exported symbol set restricted to chd_* via linker version script (ELF) / -exported_symbol _chd_* (macOS). Internal codec headers moved to src/ in #144.
cd_codec_decompress signature is now ABI-stable across WANT_SUBCODE configurations — consumers and library compiled with mismatched flags no longer silently corrupt the stack.
lzma_allocator embeds ISzAlloc properly per the LZMA SDK layout.
Bundled deps: miniz 3.1.1 (replaces zlib), lzma 25.01, zstd 1.5.7 single-file, dr_flac 0.13.3. WITH_SYSTEM_ZLIB and WITH_SYSTEM_ZSTD CMake options available for distros that prefer system libraries.
CMake options added: CHDR_WANT_RAW_DATA_SECTOR, CHDR_WANT_SUBCODE, CHDR_VERIFY_BLOCK_CRC, BUILD_FUZZER, BUILD_LTO.

Tooling

tests/corpus/ contains a generate.sh script that shells out to chdman to produce a tiny CHDv5 fuzz corpus covering all codecs — ~1.5 MiB total, gitignored.
tests/fuzz.c + -DBUILD_FUZZER=ON builds an ASan + libFuzzer binary for regression fuzzing.

ABI policy

SOVERSION = PROJECT_VERSION_MAJOR. Bumped only on ABI breaks. The v0.x series ships as libchdr.so.0; a future v1.0.0 would ship as libchdr.so.1. The public header set is restricted to include/libchdr/ and the public symbol set to chd_*.

Known limitations

AVHuff codec is not implemented (#69). CHDs produced with CHDCOMPRESSION_AV (CHDv1–v4) or the avhu codec tag (CHDv5) return CHDERR_UNSUPPORTED_FORMAT. Scope is laserdisc CHDs only (Dragon's Lair, Space Ace, Time Traveler, MAME/Daphne/Hypseus Singe). All other consumers (PS1, PS2, Saturn, Dreamcast, arcade HD, PS3) are unaffected.

Upgrade notes

No public API breaks vs pre-tag master.
Distros shipping libchdr0 keep the same SONAME; no package rename needed.
Debian/Ubuntu maintainers can drop out-of-tree patches for ftello64/time64 and strict-C11 builds — both are now fixed upstream.