gix-pack v0.72.0

Bug Fixes

• cap aggregate delta data allocation in gix-pack
  A ClusterFuzz data_file testcase could build a malformed delta chain whose
  individual entry sizes stayed below the configured fuzz allocation cap, but
  whose aggregate decompressed delta payload size reached multi-gigabyte scale.
  The fuzz harness then attempted to reserve that aggregate buffer and aborted
  with libFuzzer out-of-memory.

  Reject aggregate delta payload sizes once they exceed
  File::with_alloc_limit_bytes(), matching the existing protection for individual
  decoded object sizes. Add the minimized ClusterFuzz testcase to the data_file
  artefacts so the known input remains available to the fuzz target and artifact
  smoke test.

Bug Fixes (BREAKING)

• remove unused index::Version::hash() method.
  It's not useful either as there is no relationship between the Version
  of the index file and the hash to use.

Commit Statistics

• 10 commits contributed to the release over the course of 27 calendar days.
• 27 days passed between releases.
• 2 commits were understood as conventional.
• 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

• Uncategorized
  • Merge pull request #2657 from GitoxideLabs/dev/aratiu/sha256-pack (cdafa6a)
  • Review (14025af)
  • Cover multi-index write under SHA-256 (bbf6fe3)
  • Correct the index-verification progress label for non-SHA-1 hashes (aa319aa)
  • Merge pull request #2632 from GitoxideLabs/fix-fuzz-failure (70d38bf)
  • Cap aggregate delta data allocation in gix-pack (6de909b)
  • Merge pull request #2602 from cruessler/run-gix-pack-tests-with-sha-256 (4f862a5)
  • Remove unused index::Version::hash() method. (ee91e31)
  • Add generated archives for SHA-256 in gix-pack (4f1bb83)
  • Merge pull request #2618 from GitoxideLabs/report (f7d4f33)