Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package aws-c-event-stream for openSUSE:Factory checked in at 2026-05-26 16:35:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/aws-c-event-stream (Old) and /work/SRC/openSUSE:Factory/.aws-c-event-stream.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-c-event-stream" Tue May 26 16:35:03 2026 rev:13 rq:1355153 version:0.7.1 Changes: -------- --- /work/SRC/openSUSE:Factory/aws-c-event-stream/aws-c-event-stream.changes 2026-04-09 16:24:58.607084752 +0200 +++ /work/SRC/openSUSE:Factory/.aws-c-event-stream.new.2084/aws-c-event-stream.changes 2026-05-26 16:35:18.847179655 +0200 @@ -1,0 +2,7 @@ +Fri May 22 07:48:02 UTC 2026 - John Paul Adrian Glaubitz <[email protected]> + +- Update to version 0.7.1 + * builder -> v0.9.92 and clang-latest by @sbSteveK in (#143) + * Fix several decoding infinite loops by @bretambrose in (#144) + +------------------------------------------------------------------- Old: ---- v0.7.0.tar.gz New: ---- v0.7.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ aws-c-event-stream.spec ++++++ --- /var/tmp/diff_new_pack.nYbIRI/_old 2026-05-26 16:35:19.787218546 +0200 +++ /var/tmp/diff_new_pack.nYbIRI/_new 2026-05-26 16:35:19.787218546 +0200 @@ -21,7 +21,7 @@ %define library_version 1.0.0 %define library_soversion 1 Name: aws-c-event-stream -Version: 0.7.0 +Version: 0.7.1 Release: 0 Summary: C99 implementation of the vnd.amazon.eventstream content-type License: Apache-2.0 ++++++ v0.7.0.tar.gz -> v0.7.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/.github/workflows/ci.yml new/aws-c-event-stream-0.7.1/.github/workflows/ci.yml --- old/aws-c-event-stream-0.7.0/.github/workflows/ci.yml 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/.github/workflows/ci.yml 2026-05-20 21:52:36.000000000 +0200 @@ -6,7 +6,7 @@ - 'main' env: - BUILDER_VERSION: v0.9.90 + BUILDER_VERSION: v0.9.92 BUILDER_SOURCE: releases BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net PACKAGE_NAME: aws-c-event-stream @@ -57,6 +57,7 @@ - clang-11 - clang-15 - clang-17 + - clang-latest - gcc-4.8 - gcc-5 - gcc-6 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/include/aws/event-stream/event_stream.h new/aws-c-event-stream-0.7.1/include/aws/event-stream/event_stream.h --- old/aws-c-event-stream-0.7.0/include/aws/event-stream/event_stream.h 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/include/aws/event-stream/event_stream.h 2026-05-20 21:52:36.000000000 +0200 @@ -33,6 +33,12 @@ * https://github.com/awslabs/aws-eventstream-java/blob/1e76ef478f0108b38e2d7b70b598b4e5f0def3d1/src/main/java/software/amazon/eventstream/Utils.java#L34-L40*/ #define AWS_EVENT_STREAM_HEADER_VALUE_LEN_MAX (INT16_MAX) +/* + * Not an actual part of the eventstream spec. Similar to HTTP where there is no spec-defined header maximum but + * implementations apply limits to bound memory usage. + */ +#define AWS_EVENT_STREAM_MESSAGE_MAX_HEADERS 1024 + enum aws_event_stream_errors { AWS_ERROR_EVENT_STREAM_BUFFER_LENGTH_MISMATCH = AWS_ERROR_ENUM_BEGIN_RANGE(AWS_C_EVENT_STREAM_PACKAGE_ID), AWS_ERROR_EVENT_STREAM_INSUFFICIENT_BUFFER_LEN, @@ -46,6 +52,7 @@ AWS_ERROR_EVENT_STREAM_RPC_PROTOCOL_ERROR, AWS_ERROR_EVENT_STREAM_RPC_STREAM_CLOSED, AWS_ERROR_EVENT_STREAM_RPC_STREAM_NOT_ACTIVATED, + AWS_ERROR_EVENT_STREAM_MESSAGE_TOO_MANY_HEADERS, AWS_ERROR_EVENT_STREAM_END_RANGE = AWS_ERROR_ENUM_END_RANGE(AWS_C_EVENT_STREAM_PACKAGE_ID), }; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/source/event_stream.c new/aws-c-event-stream-0.7.1/source/event_stream.c --- old/aws-c-event-stream-0.7.0/source/event_stream.c 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/source/event_stream.c 2026-05-20 21:52:36.000000000 +0200 @@ -61,6 +61,10 @@ "aws_event_stream_rpc_client_continuation_activate()" " before using a stream continuation token.", LIB_NAME), + AWS_DEFINE_ERROR_INFO( + AWS_ERROR_EVENT_STREAM_MESSAGE_TOO_MANY_HEADERS, + "message contained too many headers", + LIB_NAME), }; static struct aws_error_info_list s_list = { @@ -239,12 +243,17 @@ return aws_raise_error(AWS_ERROR_EVENT_STREAM_MESSAGE_FIELD_SIZE_EXCEEDED); } + size_t header_count = 0; struct aws_byte_cursor buffer_cur = aws_byte_cursor_from_array(buffer, headers_len); /* iterate the buffer per header. */ while (buffer_cur.len) { struct aws_event_stream_header_value_pair header; AWS_ZERO_STRUCT(header); + if (header_count >= AWS_EVENT_STREAM_MESSAGE_MAX_HEADERS) { + return aws_raise_error(AWS_ERROR_EVENT_STREAM_MESSAGE_TOO_MANY_HEADERS); + } + /* get the header info from the buffer, make sure to increment buffer offset. */ aws_byte_cursor_read_u8(&buffer_cur, &header.header_name_len); AWS_RETURN_ERROR_IF( @@ -311,6 +320,8 @@ if (aws_array_list_push_back(headers, (const void *)&header)) { return AWS_OP_ERR; } + + ++header_count; } return AWS_OP_SUCCESS; @@ -1502,6 +1513,35 @@ return AWS_OP_ERR; } + if (decoder->prelude.headers_len > + decoder->prelude.total_len - AWS_EVENT_STREAM_PRELUDE_LENGTH - AWS_EVENT_STREAM_TRAILER_LENGTH) { + aws_raise_error(AWS_ERROR_EVENT_STREAM_MESSAGE_INVALID_HEADERS_LEN); + char error_message[] = "Invalid message headers length"; + + decoder->on_error( + decoder, + &decoder->prelude, + AWS_ERROR_EVENT_STREAM_MESSAGE_INVALID_HEADERS_LEN, + error_message, + decoder->user_context); + + return AWS_OP_ERR; + } + + if (decoder->prelude.total_len < AWS_EVENT_STREAM_PRELUDE_LENGTH + AWS_EVENT_STREAM_TRAILER_LENGTH) { + aws_raise_error(AWS_ERROR_EVENT_STREAM_BUFFER_LENGTH_MISMATCH); + char error_message[] = "Message length too short"; + + decoder->on_error( + decoder, + &decoder->prelude, + AWS_ERROR_EVENT_STREAM_BUFFER_LENGTH_MISMATCH, + error_message, + decoder->user_context); + + return AWS_OP_ERR; + } + /* Should only call on_prelude() after passing crc check and limitation check, otherwise call on_prelude() with * incorrect prelude is error prune. */ decoder->on_prelude(decoder, &decoder->prelude, decoder->user_context); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/source/event_stream_channel_handler.c new/aws-c-event-stream-0.7.1/source/event_stream_channel_handler.c --- old/aws-c-event-stream-0.7.0/source/event_stream_channel_handler.c 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/source/event_stream_channel_handler.c 2026-05-20 21:52:36.000000000 +0200 @@ -111,6 +111,7 @@ "id=%p: read total message length of %" PRIu32, (void *)handler, event_stream_handler->current_message_len); + if (event_stream_handler->current_message_len > AWS_EVENT_STREAM_MAX_MESSAGE_SIZE) { AWS_LOGF_ERROR( AWS_LS_EVENT_STREAM_CHANNEL_HANDLER, @@ -122,6 +123,19 @@ error_code = aws_last_error(); goto finished; } + + if (event_stream_handler->current_message_len < + AWS_EVENT_STREAM_PRELUDE_LENGTH + AWS_EVENT_STREAM_TRAILER_LENGTH) { + AWS_LOGF_ERROR( + AWS_LS_EVENT_STREAM_CHANNEL_HANDLER, + "id=%p: message length of %" PRIu32 " is invalid and too small", + (void *)handler, + event_stream_handler->current_message_len); + // not a great error but matches streaming which in turn matches original whole message decode + aws_raise_error(AWS_ERROR_EVENT_STREAM_BUFFER_LENGTH_MISMATCH); + error_code = aws_last_error(); + goto finished; + } /* advance past the headers field since we don't really care about it at this point */ aws_byte_cursor_advance(&prelude_cursor, sizeof(uint32_t)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/tests/CMakeLists.txt new/aws-c-event-stream-0.7.1/tests/CMakeLists.txt --- old/aws-c-event-stream-0.7.0/tests/CMakeLists.txt 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/tests/CMakeLists.txt 2026-05-20 21:52:36.000000000 +0200 @@ -25,12 +25,17 @@ add_test_case(test_streaming_decoder_incoming_application_one_bool_header_pair_valid) add_test_case(test_streaming_decoder_incoming_multiple_messages) add_test_case(test_streaming_decoder_incoming_application_large_size_header_name_valid) +add_test_case(test_streaming_decoder_incoming_illegal_header_length_relationship_fails) +add_test_case(test_streaming_decoder_incoming_message_too_short) + +add_test_case(test_read_message_headers_too_many) add_test_case(test_channel_handler_single_valid_messages_parse) add_test_case(test_channel_handler_multiple_valid_messages_parse) add_test_case(test_channel_handler_corrupted_crc_fails) add_test_case(test_channel_handler_large_msg_success) add_test_case(test_channel_handler_write_message) +add_test_case(test_channel_handler_short_message_fails) add_net_test_case(test_event_stream_rpc_server_connection_setup_and_teardown) add_net_test_case(test_event_stream_rpc_server_connection_setup_and_teardown_with_bind_to_zero_port) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/tests/channel_handler_test.c new/aws-c-event-stream-0.7.1/tests/channel_handler_test.c --- old/aws-c-event-stream-0.7.0/tests/channel_handler_test.c 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/tests/channel_handler_test.c 2026-05-20 21:52:36.000000000 +0200 @@ -503,3 +503,44 @@ s_test_channel_handler_write_message, s_fixture_shutdown, &s_test_data) + +static int s_test_channel_handler_short_message_fails(struct aws_allocator *allocator, void *ctx) { + (void)allocator; + struct test_data *test_data = ctx; + + struct single_message_test_data message_test_data; + AWS_ZERO_STRUCT(message_test_data); + + test_data->received_fn = s_test_on_single_message; + test_data->user_data = &message_test_data; + + /* altered the 9th byte to a single bit flip */ + uint8_t short_message[] = { + 0x00, + 0x00, + 0x00, + 0x05, + 0x00, + 0x00, + 0x00, + 0x00, + 0xad, + 0xc2, + 0x50, + 0x19, + 0x00, + }; + + struct aws_byte_cursor empty_message_cursor = aws_byte_cursor_from_array(short_message, sizeof(short_message)); + ASSERT_SUCCESS(testing_channel_push_read_data(&s_test_data.testing_channel, empty_message_cursor)); + ASSERT_UINT_EQUALS(AWS_ERROR_EVENT_STREAM_BUFFER_LENGTH_MISMATCH, message_test_data.last_error_code); + + return AWS_OP_SUCCESS; +} + +AWS_TEST_CASE_FIXTURE( + test_channel_handler_short_message_fails, + s_fixture_setup, + s_test_channel_handler_short_message_fails, + s_fixture_shutdown, + &s_test_data) \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/tests/message_deserializer_test.c new/aws-c-event-stream-0.7.1/tests/message_deserializer_test.c --- old/aws-c-event-stream-0.7.0/tests/message_deserializer_test.c 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/tests/message_deserializer_test.c 2026-05-20 21:52:36.000000000 +0200 @@ -160,3 +160,33 @@ AWS_TEST_CASE( test_outgoing_application_one_compressed_header_pair_valid, s_test_outgoing_application_one_compressed_header_pair_valid_fn) + +static const size_t TOO_MANY_HEADERS_BUFFER_SIZE = 1024 * 1024 - 16; + +static int s_test_read_message_headers_too_many_fn(struct aws_allocator *allocator, void *ctx) { + (void)allocator; + (void)ctx; + + struct aws_byte_buf header_buffer; + aws_byte_buf_init(&header_buffer, allocator, TOO_MANY_HEADERS_BUFFER_SIZE); + + // Each [0, 0] pair is a boolean header with no name and value == true + aws_secure_zero(header_buffer.buffer, TOO_MANY_HEADERS_BUFFER_SIZE); + + struct aws_array_list headers; + aws_array_list_init_dynamic(&headers, allocator, 8, sizeof(struct aws_event_stream_header_value_pair)); + + int result = + aws_event_stream_read_headers_from_buffer(&headers, header_buffer.buffer, TOO_MANY_HEADERS_BUFFER_SIZE); + int last_error = aws_last_error(); + ASSERT_FAILS(result); + ASSERT_INT_EQUALS(AWS_ERROR_EVENT_STREAM_MESSAGE_TOO_MANY_HEADERS, last_error); + ASSERT_TRUE(aws_array_list_length(&headers) <= AWS_EVENT_STREAM_MESSAGE_MAX_HEADERS); + + aws_array_list_clean_up(&headers); + aws_byte_buf_clean_up(&header_buffer); + + return 0; +} + +AWS_TEST_CASE(test_read_message_headers_too_many, s_test_read_message_headers_too_many_fn) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aws-c-event-stream-0.7.0/tests/message_streaming_decoder_test.c new/aws-c-event-stream-0.7.1/tests/message_streaming_decoder_test.c --- old/aws-c-event-stream-0.7.0/tests/message_streaming_decoder_test.c 2026-03-23 18:23:37.000000000 +0100 +++ new/aws-c-event-stream-0.7.1/tests/message_streaming_decoder_test.c 2026-05-20 21:52:36.000000000 +0200 @@ -822,3 +822,103 @@ AWS_TEST_CASE( test_streaming_decoder_incoming_application_large_size_header_name_valid, s_test_streaming_decoder_incoming_application_large_size_header_name_valid_fn) + +static int s_test_streaming_decoder_incoming_illegal_header_length_relationship_fails_fn( + struct aws_allocator *allocator, + void *ctx) { + uint8_t test_data[] = { + 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x08, 0xfe, 0x99, 0x66, + 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }; + + (void)ctx; + struct test_decoder_data decoder_data = {.latest_payload = 0, .written = 0, .alloc = allocator, .latest_error = 0}; + aws_event_stream_headers_list_init(&decoder_data.headers_list, allocator); + + struct aws_event_stream_streaming_decoder_options decoder_options = { + .on_payload_segment = s_decoder_test_on_payload_segment, + .on_prelude = s_decoder_test_on_prelude_received, + .on_header = s_decoder_test_header_received, + .on_complete = s_decoder_test_on_complete, + .on_error = s_decoder_test_on_error, + .user_data = &decoder_data}; + + struct aws_event_stream_streaming_decoder decoder; + aws_event_stream_streaming_decoder_init_from_options(&decoder, allocator, &decoder_options); + + struct aws_byte_buf test_buf = aws_byte_buf_from_array(test_data, sizeof(test_data)); + ASSERT_FAILS(aws_event_stream_streaming_decoder_pump(&decoder, &test_buf), "Message validation should not succeed"); + ASSERT_INT_EQUALS( + AWS_ERROR_EVENT_STREAM_MESSAGE_INVALID_HEADERS_LEN, + decoder_data.latest_error, + "Error should be invalid headers length"); + + if (decoder_data.latest_payload) { + aws_mem_release(allocator, decoder_data.latest_payload); + } + + aws_event_stream_streaming_decoder_clean_up(&decoder); + + aws_event_stream_headers_list_cleanup(&decoder_data.headers_list); + + return 0; +} + +AWS_TEST_CASE( + test_streaming_decoder_incoming_illegal_header_length_relationship_fails, + s_test_streaming_decoder_incoming_illegal_header_length_relationship_fails_fn) + +static int s_test_streaming_decoder_incoming_message_too_short_fn(struct aws_allocator *allocator, void *ctx) { + uint8_t test_data[] = { + 0x00, + 0x00, + 0x00, + 0x0c, + 0x00, + 0x00, + 0x00, + 0x00, + 0xa0, + 0xd2, + 0x32, + 0x68, + 0x00, + }; + + (void)ctx; + struct test_decoder_data decoder_data = { + .latest_payload = 0, + .written = 0, + .alloc = allocator, + .latest_error = 0, + }; + aws_event_stream_headers_list_init(&decoder_data.headers_list, allocator); + + struct aws_event_stream_streaming_decoder_options decoder_options = { + .on_payload_segment = s_decoder_test_on_payload_segment, + .on_prelude = s_decoder_test_on_prelude_received, + .on_header = s_decoder_test_header_received, + .on_complete = s_decoder_test_on_complete, + .on_error = s_decoder_test_on_error, + .user_data = &decoder_data}; + + struct aws_event_stream_streaming_decoder decoder; + aws_event_stream_streaming_decoder_init_from_options(&decoder, allocator, &decoder_options); + + struct aws_byte_buf test_buf = aws_byte_buf_from_array(test_data, sizeof(test_data)); + ASSERT_FAILS(aws_event_stream_streaming_decoder_pump(&decoder, &test_buf), "Message validation should not succeed"); + ASSERT_INT_EQUALS( + AWS_ERROR_EVENT_STREAM_BUFFER_LENGTH_MISMATCH, decoder_data.latest_error, "Error should be length mismatch"); + + if (decoder_data.latest_payload) { + aws_mem_release(allocator, decoder_data.latest_payload); + } + + aws_event_stream_streaming_decoder_clean_up(&decoder); + + aws_event_stream_headers_list_cleanup(&decoder_data.headers_list); + + return 0; +} + +AWS_TEST_CASE(test_streaming_decoder_incoming_message_too_short, s_test_streaming_decoder_incoming_message_too_short_fn)
