Skip to content

packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names #2957

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Geod24 merged 1 commit into from
Sep 23, 2024
Merged

packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names #2957

Geod24 merged 1 commit into from
Sep 23, 2024

Conversation

@the-horo
Copy link
Contributor

@the-horo the-horo commented Aug 11, 2024

If a user ran dub fetch foo-1.1.1 instead of dub fetch [email protected] over a filesystem package supplier, assuming that the archive exists, the code that slices the filename tries to create an invalid slice as it assumes that the filename will contain at least the package name, a one character version separator, and the archive suffix which wouldn't be the case with a package name like foo-1.1.1 and an archive name of foo-1.1.1.zip.

The fix is to require one more character in the glob to account for the version separator.

For context, this is the error I get:

$ ../bin/dub --skip-registry=all --registry=file:///var/cache/distfiles fetch test_allocator-0.3.4 --cache=local

core.exception.ArraySliceError@../source/dub/packagesuppliers/filesystem.d(34): slice [21 .. 20] has a larger lower index than upper index
----------------
??:? onArraySliceError [0x7f3ee2c1397e]
??:? _d_arraybounds_slicep [0x7f3ee2c13f72]
../source/dub/packagesuppliers/filesystem.d:34 dub.dependency.Version[] dub.packagesuppliers.filesystem.FileSystemPackageSupplier.getVersions(in ref dub.dependency.PackageName) [0x561890c9b6cf]
../source/dub/packagesuppliers/filesystem.d:95 dub.internal.vibecompat.inet.path.NativePath dub.packagesuppliers.filesystem.FileSystemPackageSupplier.bestPackageFile(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, bool) [0x561890c9be7b]
../source/dub/packagesuppliers/filesystem.d:67 dub.internal.vibecompat.data.json.Json dub.packagesuppliers.filesystem.FileSystemPackageSupplier.fetchPackageRecipe(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, bool) [0x561890c9bafc]
../source/dub/dub.d:982 dub.package_.Package dub.dub.Dub.fetch(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, dub.dub.FetchOptions, dub.packagemanager.PlacementLocation, immutable(char)[]) [0x561890a7fc91]
../source/dub/dub.d:971 dub.package_.Package dub.dub.Dub.fetch(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, dub.dub.FetchOptions, immutable(char)[]) [0x561890a7fbac]
../source/dub/commandline.d:2277 dub.commandline.FetchCommand.FetchStatus dub.commandline.FetchCommand.fetchSinglePackage(dub.dub.Dub, dub.commandline.UserPackageDesc) [0x561890878da4]
../source/dub/commandline.d:2241 void dub.commandline.FetchCommand.fetchPackage(dub.dub.Dub, dub.commandline.UserPackageDesc) [0x561890878a99]
../source/dub/commandline.d:2227 int dub.commandline.FetchCommand.execute(dub.dub.Dub, immutable(char)[][], immutable(char)[][]) [0x561890878919]
../source/dub/commandline.d:535 int dub.commandline.runDubCommandLine(immutable(char)[][]) [0x56189086f8e5]
../source/app.d:39 _Dmain [0x56189084a1c7]

@the-horo
packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names
b930537 
If a user ran `dub fetch foo-1.1.1` instead of `dub fetch [email protected]`
over a filesystem package supplier, assuming that the archive exists,
the code that slices the filename tries to create an invalid slice as
it assumes that the filename will contain at least the package name, a
one character version separator, and the archive suffix which wouldn't
be the case with a package name like `foo-1.1.1` and an archive name
of `foo-1.1.1.zip`.

The fix is to require one more character in the glob to account for
the version separator.

Signed-off-by: Andrei Horodniceanu <[email protected]>
@github-actions
Copy link

github-actions bot commented Aug 11, 2024
edited
Loading

✅ PR OK, no changes in deprecations or warnings

Total deprecations: 8

Total warnings: 0

Build statistics:

 statistics (-before, +after)
 executable size=5293368 bin/dub
 rough build time=61s
Full build output 
DUB version 1.38.0, built on Jul  4 2024
LDC - the LLVM D compiler (1.39.0):
  based on DMD v2.109.1 and LLVM 18.1.6
  built with LDC - the LLVM D compiler (1.39.0)
  Default target: x86_64-unknown-linux-gnu
  Host CPU: znver3
  http://dlang.org - http://wiki.dlang.org/LDC


  Registered Targets:
    aarch64     - AArch64 (little endian)
    aarch64_32  - AArch64 (little endian ILP32)
    aarch64_be  - AArch64 (big endian)
    amdgcn      - AMD GCN GPUs
    arm         - ARM
    arm64       - ARM64 (little endian)
    arm64_32    - ARM64 (little endian ILP32)
    armeb       - ARM (big endian)
    avr         - Atmel AVR Microcontroller
    bpf         - BPF (host endian)
    bpfeb       - BPF (big endian)
    bpfel       - BPF (little endian)
    hexagon     - Hexagon
    lanai       - Lanai
    loongarch32 - 32-bit LoongArch
    loongarch64 - 64-bit LoongArch
    mips        - MIPS (32-bit big endian)
    mips64      - MIPS (64-bit big endian)
    mips64el    - MIPS (64-bit little endian)
    mipsel      - MIPS (32-bit little endian)
    msp430      - MSP430 [experimental]
    nvptx       - NVIDIA PTX 32-bit
    nvptx64     - NVIDIA PTX 64-bit
    ppc32       - PowerPC 32
    ppc32le     - PowerPC 32 LE
    ppc64       - PowerPC 64
    ppc64le     - PowerPC 64 LE
    r600        - AMD GPUs HD2XXX-HD6XXX
    riscv32     - 32-bit RISC-V
    riscv64     - 64-bit RISC-V
    sparc       - Sparc
    sparcel     - Sparc LE
    sparcv9     - Sparc V9
    spirv       - SPIR-V Logical
    spirv32     - SPIR-V 32-bit
    spirv64     - SPIR-V 64-bit
    systemz     - SystemZ
    thumb       - Thumb
    thumbeb     - Thumb (big endian)
    ve          - VE
    wasm32      - WebAssembly 32-bit
    wasm64      - WebAssembly 64-bit
    x86         - 32-bit X86: Pentium-Pro and above
    x86-64      - 64-bit X86: EM64T and AMD64
    xcore       - XCore
   Upgrading project in /home/runner/work/dub/dub/
    Starting Performing "release" build using /opt/hostedtoolcache/dc/ldc2-1.39.0/x64/ldc2-1.39.0-linux-x86_64/bin/ldc2 for x86_64.
    Building dub 1.39.0-beta.1+commit.6.g7d35edc9: building configuration [application]
source/dub/internal/dyaml/composer.d(210,43): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/composer.d(232,43): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/composer.d(336,43): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(196,5): Deprecation: cannot access overlapped field `Event.explicitDocument` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(214,5): Deprecation: cannot access overlapped field `Event.explicitDocument` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(241,5): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(148,5): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(148,5): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
     Linking dub
STAT:statistics (-before, +after)
STAT:executable size=5293368 bin/dub
STAT:rough build time=61s

@Geod24 Geod24 merged commit d78df16 into dlang:master Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Geod24 Geod24 Geod24 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@the-horo @Geod24