New Features
- Add SHA-256 support
This means that if compiled in, SHA-256 packs can now be read and used.
Other
-
reject truncated delta headers within their own data range
ClusterFuzz reported a panic in gix-pack's data_file fuzz target for testcase
clusterfuzz-testcase-minimized-gix-pack-data_file-6499869547364352. The
minimized pack could reach File::decode_entry() and panic while applying a
relocated delta instruction range with the slice error 'slice index starts at 11
but ends at 9'.The first delta decoding pass stored all decompressed delta instructions
contiguously, but decoded each delta's base and result size headers from the
remaining combined instruction buffer. If a malformed delta header continued
past that delta's declared decompressed size, header parsing could consume
bytes from the following delta and produce an invalid instruction range for the
current delta.Limit delta size-header parsing to the current delta's decompressed instruction
range so truncated malformed headers become delta corruption errors instead of
cross-delta ranges. Add the ClusterFuzz artifact and a regression that exercises
the same offsets as the data_file fuzz target.It's notable that it doesn't reproduce when run in debug mode or with the test-suite,
but it does reproduce with the fuzzer, and it's fixed now (hence does not reproduce).
To keep the suite simple, I removed the extra test.
Commit Statistics
- 21 commits contributed to the release over the course of 28 calendar days.
- 28 days passed between releases.
- 2 commits were understood as conventional.
- 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
- Uncategorized
- Merge pull request #2590 from GitoxideLabs/independent-testtools (575113d)
- Adapt to changes in
gix-testtools(ce9e6bd) - Merge pull request #2581 from GitoxideLabs/improvements (8af2691)
- Add SHA-256 support (04c894e)
- Merge pull request #2573 from cruessler/run-gix-traverse-tests-with-sha-256 (278d7ec)
- Address auto-review (0ec3bb7)
- Cleanup the
justfileand automate feature tests (db7b97b) - Merge pull request #2571 from GitoxideLabs/fix/avoid-pack-delta-panic (24cdbb0)
- Address auto-review (c5db356)
- Address review comment about large delta header probes (af84752)
- Address review comments about decompression bounds (89a27bf)
- Address review comment about produced delta bytes (8e562c7)
- Reject truncated delta headers within their own data range (3e38902)
- Merge pull request #2568 from GitoxideLabs/dependabot/cargo/cargo-56d6b174d8 (ab2fee1)
- Update crates to Rust 2024 edition (2cb17b2)
- Remove rust_2018_idioms lint declarations (e10d5f6)
- Raise MSRV for hash dependency updates (3675a8d)
- Merge pull request #2543 from cruessler/run-gix-worktree-stream-tests-with-sha-256 (23af41a)
- Adapt to changes in
gix_object::Data(4309fa4) - Adapt to changes in
gix-testtoolsand renamehash_kind->object_hash(d9648e8) - Merge pull request #2546 from GitoxideLabs/fix-2545 (adb8328)