Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid buffer overflow in fillBufBuilderOne #4

Merged
merged 1 commit into from
Jun 22, 2024
Merged

Avoid buffer overflow in fillBufBuilderOne #4

merged 1 commit into from
Jun 22, 2024

Conversation

FinleyMcIlwaine
Copy link
Collaborator

@FinleyMcIlwaine FinleyMcIlwaine commented Jun 21, 2024
edited
Loading

This is nearly exactly the same fix as my last patch (#3), just for another occurrence of Data.ByteString.Builder.More. We haven't seen any issues resulting from this code path ourselves, but it is vulnerable to the same sort of buffer overflow as the previous patch (running a writer in a buffer which might not have enough room).

Sorry I missed this before! I bumped the version and added a ChangeLog entry.

@FinleyMcIlwaine FinleyMcIlwaine force-pushed the finley/fix-buffer-again branch from 9ecfdbe to 0068359 Compare June 21, 2024 16:30
@FinleyMcIlwaine FinleyMcIlwaine force-pushed the finley/fix-buffer-again branch from 0068359 to c369749 Compare June 21, 2024 16:31
@FinleyMcIlwaine FinleyMcIlwaine changed the title Avoid buffer overflow in FillBuf (2) Avoid buffer overflow in fillBufBuilderOne Jun 21, 2024
@FinleyMcIlwaine FinleyMcIlwaine mentioned this pull request Jun 21, 2024
Merged
@kazu-yamamoto kazu-yamamoto self-requested a review June 22, 2024 00:30
@kazu-yamamoto kazu-yamamoto merged commit c72134c into kazu-yamamoto:main Jun 22, 2024
@kazu-yamamoto
Copy link
Owner

Merged.
Thank you so much!

@kazu-yamamoto
Copy link
Owner

A new version has been released.

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request Jan 30, 2025
@depressed-pho
www/hs-http-semantics: update to http-semantics-0.3.0
ea7399d 
## 0.3.0

* Breaking change: fillFileBodyGetNext takes Sentinel instead of
  IO () to close files on time.

## 0.2.1

* Add outBodyCancel to OutBodyIface
  [#11](kazu-yamamoto/http-semantics#11)
* Documentation improvement.
  [#10](kazu-yamamoto/http-semantics#10)
  [#11](kazu-yamamoto/http-semantics#11)

## 0.2.0

* Introduce `responseStreamingIface`
  [#9](kazu-yamamoto/http-semantics#9)

## 0.1.2

* Avoid buffer overflow in fillBufBuilderOne
  [#4](kazu-yamamoto/http-semantics#4)

## 0.1.1

* Avoid buffer overflow in runStreamingBuilder
  [#3](kazu-yamamoto/http-semantics#3)

## 0.1.0

* Make it possible to guarantee that final DATA frame is marked end-of-stream.
  [#2](kazu-yamamoto/http-semantics#2)

## 0.0.1

* Defining getResponseBodyChunk'.
  [#1](kazu-yamamoto/http-semantics#1)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kazu-yamamoto kazu-yamamoto Awaiting requested review from kazu-yamamoto

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@FinleyMcIlwaine @kazu-yamamoto