mirror of
https://github.com/oven-sh/bun
synced 2026-02-17 22:32:06 +00:00
7a801fcf93
## Summary - Fix out-of-bounds read in the INI parser's `prepareStr` function when a multi-byte UTF-8 lead byte appears at the end of a value with insufficient continuation bytes - Fix undefined behavior when bare continuation bytes (0x80-0xBF) cause `utf8ByteSequenceLength` to return 0, hitting an `unreachable` branch (UB in ReleaseFast builds) - Add bounds checking before accessing `val[i+1]`, `val[i+2]`, `val[i+3]` in both escaped and non-escaped code paths The vulnerability could be triggered by a crafted `.npmrc` file containing truncated UTF-8 sequences. In release builds, this could cause OOB heap reads (potential info leak) or undefined behavior. ## Test plan - [x] Added 9 tests covering truncated 2/3/4-byte sequences, bare continuation bytes, and escaped contexts - [x] All 52 INI parser tests pass (`bun bd test test/js/bun/ini/ini.test.ts`) - [x] No regressions in npmrc tests (failures are pre-existing Verdaccio connectivity issues) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com>