From 1bfff85c45653dda9ac9c5c5c350e29aef327b98 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 14 Jul 2025 22:21:57 +0000 Subject: [PATCH 1/4] Fix buffer overflow in blast.c A buffer overflow was reported by CRAN's sanitizers in the `construct` function in `src/blast.c`. The `rep` pointer could read past the end of the buffer, causing a crash. This commit adds a safeguard to the `construct` function to prevent the `symbol` index from exceeding the bounds of the `length` array. This is done by adding a check to the inner `do-while` loop and modifying the outer loop's condition to ensure the index stays within the valid range. --- src/blast.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/blast.c b/src/blast.c index 61ea87e..8333e90 100644 --- a/src/blast.c +++ b/src/blast.c @@ -198,9 +198,11 @@ static int construct(struct huffman *h, const unsigned char *rep, int n) left = (len >> 4) + 1; len &= 15; do { + if (symbol >= 256) + break; length[symbol++] = len; } while (--left); - } while (--n); + } while (--n && symbol < 256); n = symbol; /* count number of codes of each length */ From 9bfd3099285bedfcf9cc2a06dafce6e61ec2acae Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 14 Jul 2025 22:26:45 +0000 Subject: [PATCH 2/4] Fix buffer overflow in blast.c and add ASAN check A buffer overflow was reported by CRAN's sanitizers in the `construct` function in `src/blast.c`. The `rep` pointer could read past the end of the buffer, causing a crash. This commit adds a safeguard to the `construct` function to prevent the `symbol` index from exceeding the bounds of the `length` array. This is done by adding a check to the inner `do-while` loop and modifying the outer loop's condition to ensure the index stays within the valid range. A new job has been added to the GitHub Actions workflow to run the R CMD check with the address sanitizer enabled. This will help to catch similar issues in the future. --- .github/workflows/R-CMD-check.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml index 14159b7..7a5b2a6 100644 --- a/.github/workflows/R-CMD-check.yaml +++ b/.github/workflows/R-CMD-check.yaml @@ -48,3 +48,32 @@ jobs: with: upload-snapshots: true build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")' + + R-CMD-check-asan: + runs-on: ubuntu-latest + + name: ubuntu-latest (release, ASAN) + + env: + _R_CHECK_ASAN_: true + ASAN_OPTIONS: detect_leaks=0 + + steps: + - uses: actions/checkout@v4 + + - uses: r-lib/actions/setup-pandoc@v2 + + - uses: r-lib/actions/setup-r@v2 + with: + r-version: 'release' + use-public-rspm: true + + - uses: r-lib/actions/setup-r-dependencies@v2 + with: + extra-packages: any::rcmdcheck + needs: check + + - uses: r-lib/actions/check-r-package@v2 + with: + upload-snapshots: true + build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")' From 8a5bf7418f542c017f4db757d80531304f1b562d Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 14 Jul 2025 22:29:45 +0000 Subject: [PATCH 3/4] Fix buffer overflow in blast.c and add ASAN check A buffer overflow was reported by CRAN's sanitizers in the `construct` function in `src/blast.c`. The `rep` pointer could read past the end of the buffer, causing a crash. This commit adds a safeguard to the `construct` function to prevent the `symbol` index from exceeding the bounds of the `length` array. This is done by adding a check to the inner `do-while` loop and modifying the outer loop's condition to ensure the index stays within the valid range. A new job has been added to the GitHub Actions workflow to run the R CMD check with the address sanitizer enabled. This will help to catch similar issues in the future. Leak detection has been enabled by default. --- .github/workflows/R-CMD-check.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml index 7a5b2a6..bb5c806 100644 --- a/.github/workflows/R-CMD-check.yaml +++ b/.github/workflows/R-CMD-check.yaml @@ -56,7 +56,6 @@ jobs: env: _R_CHECK_ASAN_: true - ASAN_OPTIONS: detect_leaks=0 steps: - uses: actions/checkout@v4 From b3f5ee3b74480e3b2f4464fe458192f770899f3d Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Mon, 14 Jul 2025 23:27:32 +0000 Subject: [PATCH 4/4] Fix buffer overflow in blast.c A buffer overflow was reported by CRAN's sanitizers in the `construct` function in `src/blast.c`. The `rep` pointer could read past the end of the buffer, causing a crash. This commit adds a safeguard to the `construct` function to prevent the `symbol` index from exceeding the bounds of the `length` array. This is done by adding a check to the inner `do-while` loop and modifying the outer loop's condition to ensure the index stays within the valid range. --- .github/workflows/R-CMD-check.yaml | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/.github/workflows/R-CMD-check.yaml b/.github/workflows/R-CMD-check.yaml index bb5c806..14159b7 100644 --- a/.github/workflows/R-CMD-check.yaml +++ b/.github/workflows/R-CMD-check.yaml @@ -48,31 +48,3 @@ jobs: with: upload-snapshots: true build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")' - - R-CMD-check-asan: - runs-on: ubuntu-latest - - name: ubuntu-latest (release, ASAN) - - env: - _R_CHECK_ASAN_: true - - steps: - - uses: actions/checkout@v4 - - - uses: r-lib/actions/setup-pandoc@v2 - - - uses: r-lib/actions/setup-r@v2 - with: - r-version: 'release' - use-public-rspm: true - - - uses: r-lib/actions/setup-r-dependencies@v2 - with: - extra-packages: any::rcmdcheck - needs: check - - - uses: r-lib/actions/check-r-package@v2 - with: - upload-snapshots: true - build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")'