Security
This release contains security hardening fixes for a number of malformed-input parsing and path-traversal vulnerabilities:
- Bounds-checking for malformed event payloads in the BPerf ULZ777 decompressor and event-record parser
- Bounds-checking for malformed metadata in the GCDynamic, RegisteredTraceEventParser (TDH), Dynamic, and EventPipe V3 parsers
- Bounds-checking for malformed PE CodeView and Resource directory entries
- Path containment hardening for PDB extraction (zipped ETL + container PDBs), DiagSession resource extraction, R2R perf map writes, PdbScope module paths, and dynamic manifest writes
- Path-traversal and command-execution hardening for Source Server lookups
What's Changed
- Update CsWin32 Package Version by @brianrob in #2425
- Fix incorrect field offsets when parsing ETW events with fixed-count array fields by @Copilot in #2427
- Retarget Native Profiler Builds To VS 2026 V145 Toolset by @brianrob in #2428
- Stabilize XamlMessageBox UI-thread dispatch test by @brianrob in #2430
Full Changelog: v3.2.3...v3.2.4
Contributors
brianrob