mirror of
https://github.com/oven-sh/bun
synced 2026-02-15 13:22:07 +00:00
b47d0bf960
## Summary Fixes a panic that occurred when parsing malformed integrity data in lockfiles. The issue was in `integrity.zig` where base64 decoding attempted to write more bytes than the fixed-size digest buffer could hold, causing `panic: index out of bounds: index 64, len 64`. ## Root Cause The `Integrity.parse()` function tried to decode base64 data into a fixed 64-byte buffer without validating that the decoded size wouldn't exceed the buffer capacity. When malformed or oversized base64 integrity strings were encountered in lockfiles, this caused an out-of-bounds write. ## Fix Added proper bounds checking in `src/install/integrity.zig`: - Validates expected digest length before decoding - Checks decoded size against buffer capacity using `calcSizeForSlice()` - Only decodes into appropriately sized buffer slice based on hash algorithm - Returns `unknown` tag for malformed data instead of panicking ## Test Plan - [x] Verified release binary crashes with malformed integrity data - [x] Verified debug build with fix handles malformed data gracefully - [x] Added comprehensive regression tests for all hash types (sha1, sha256, sha384, sha512) - [x] Confirmed normal lockfile parsing continues to work correctly - [x] Tests pass: `bun bd test test/regression/issue/integrity-base64-bounds-check.test.ts` ## Before/After **Before**: `panic: index out of bounds: index 64, len 64` **After**: Graceful handling with warning about malformed integrity data 🤖 Generated with [Claude Code](https://claude.ai/code) --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
1.9 KiB
1.9 KiB