Upgrade Core to 5d5098cc7c7537f4ff3da9848233ea314faffb2f#667
Conversation
Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
🤖 Augment PR SummarySummary: Updates the vendored Changes:
Technical Notes: Router files are now validated on load (magic/version/minimum size) and matched using the loaded byte buffer. 🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
| const char *segment, const std::uint32_t segment_length, | ||
| const std::uint32_t node_count, const std::size_t string_table_size) | ||
| noexcept -> std::uint32_t { | ||
| if (first_child >= node_count || |
There was a problem hiding this comment.
Because first_child/child_count are std::uint32_t values coming from disk, first_child + child_count can overflow and bypass this guard. That could lead to out-of-bounds reads when indexing nodes.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| const auto middle = low + (high - low) / 2; | ||
| const auto child_index = first_child + middle; | ||
| const auto &child = nodes[child_index]; | ||
| if (child.string_offset + child.string_length > string_table_size) { |
There was a problem hiding this comment.
The expression child.string_offset + child.string_length is evaluated in std::uint32_t and can wrap before being compared to string_table_size, potentially letting invalid offsets through. The same overflow pattern exists for variable_node.string_offset + variable_node.string_length.
Severity: medium
Other Locations
vendor/core/src/core/uritemplate/uritemplate_router_view.cc:317
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| throw URITemplateRouterReadError{path}; | ||
| } | ||
|
|
||
| const auto minimum_size = |
There was a problem hiding this comment.
header->node_count * sizeof(Node) can overflow size_t, making minimum_size smaller than the real required size and allowing later pointer arithmetic to walk past data_. Since this parses on-disk data, it’s worth guarding the size computations against overflow.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| const auto *string_table = | ||
| header->string_table_offset < this->file_view_.size() | ||
| ? this->file_view_.as<char>(header->string_table_offset) | ||
| header->string_table_offset <= this->data_.size() |
There was a problem hiding this comment.
string_table_offset is only checked against data_.size(); if it points into the node array, matching may interpret node bytes as strings and produce incorrect routing results without failing. Consider validating the string table starts after the node array when constructing the view.
Severity: medium
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
| URITemplateRouterReadError(std::filesystem::path path) | ||
| : path_{std::move(path)} {} | ||
|
|
||
| [[nodiscard]] auto what() const noexcept -> const char * override { |
There was a problem hiding this comment.
URITemplateRouterReadError::what() says "Failed to open router file for reading", but this exception is also thrown for short reads / size checks / magic+version validation failures. A more general message (or capturing the reason) would make failures much easier to diagnose.
Severity: low
🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.
1 participant
Signed-off-by: Juan Cruz Viotti jv@jviotti.com