packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names #2957

the-horo · 2024-08-11T18:31:34Z

If a user ran dub fetch foo-1.1.1 instead of dub fetch [email protected] over a filesystem package supplier, assuming that the archive exists, the code that slices the filename tries to create an invalid slice as it assumes that the filename will contain at least the package name, a one character version separator, and the archive suffix which wouldn't be the case with a package name like foo-1.1.1 and an archive name of foo-1.1.1.zip.

The fix is to require one more character in the glob to account for the version separator.

For context, this is the error I get:

$ ../bin/dub --skip-registry=all --registry=file:///var/cache/distfiles fetch test_allocator-0.3.4 --cache=local

core.exception.ArraySliceError@../source/dub/packagesuppliers/filesystem.d(34): slice [21 .. 20] has a larger lower index than upper index
----------------
??:? onArraySliceError [0x7f3ee2c1397e]
??:? _d_arraybounds_slicep [0x7f3ee2c13f72]
../source/dub/packagesuppliers/filesystem.d:34 dub.dependency.Version[] dub.packagesuppliers.filesystem.FileSystemPackageSupplier.getVersions(in ref dub.dependency.PackageName) [0x561890c9b6cf]
../source/dub/packagesuppliers/filesystem.d:95 dub.internal.vibecompat.inet.path.NativePath dub.packagesuppliers.filesystem.FileSystemPackageSupplier.bestPackageFile(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, bool) [0x561890c9be7b]
../source/dub/packagesuppliers/filesystem.d:67 dub.internal.vibecompat.data.json.Json dub.packagesuppliers.filesystem.FileSystemPackageSupplier.fetchPackageRecipe(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, bool) [0x561890c9bafc]
../source/dub/dub.d:982 dub.package_.Package dub.dub.Dub.fetch(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, dub.dub.FetchOptions, dub.packagemanager.PlacementLocation, immutable(char)[]) [0x561890a7fc91]
../source/dub/dub.d:971 dub.package_.Package dub.dub.Dub.fetch(in ref dub.dependency.PackageName, in ref dub.dependency.VersionRange, dub.dub.FetchOptions, immutable(char)[]) [0x561890a7fbac]
../source/dub/commandline.d:2277 dub.commandline.FetchCommand.FetchStatus dub.commandline.FetchCommand.fetchSinglePackage(dub.dub.Dub, dub.commandline.UserPackageDesc) [0x561890878da4]
../source/dub/commandline.d:2241 void dub.commandline.FetchCommand.fetchPackage(dub.dub.Dub, dub.commandline.UserPackageDesc) [0x561890878a99]
../source/dub/commandline.d:2227 int dub.commandline.FetchCommand.execute(dub.dub.Dub, immutable(char)[][], immutable(char)[][]) [0x561890878919]
../source/dub/commandline.d:535 int dub.commandline.runDubCommandLine(immutable(char)[][]) [0x56189086f8e5]
../source/app.d:39 _Dmain [0x56189084a1c7]

If a user ran `dub fetch foo-1.1.1` instead of `dub fetch [email protected]` over a filesystem package supplier, assuming that the archive exists, the code that slices the filename tries to create an invalid slice as it assumes that the filename will contain at least the package name, a one character version separator, and the archive suffix which wouldn't be the case with a package name like `foo-1.1.1` and an archive name of `foo-1.1.1.zip`. The fix is to require one more character in the glob to account for the version separator. Signed-off-by: Andrei Horodniceanu <[email protected]>

github-actions · 2024-08-11T18:32:50Z

✅ PR OK, no changes in deprecations or warnings

Total deprecations: 8

Total warnings: 0

Build statistics:

 statistics (-before,  after)
 executable size=5293368 bin/dub
 rough build time=61s

Full build output

DUB version 1.38.0, built on Jul  4 2024
LDC - the LLVM D compiler (1.39.0):
  based on DMD v2.109.1 and LLVM 18.1.6
  built with LDC - the LLVM D compiler (1.39.0)
  Default target: x86_64-unknown-linux-gnu
  Host CPU: znver3
  http://dlang.org - http://wiki.dlang.org/LDC


  Registered Targets:
    aarch64     - AArch64 (little endian)
    aarch64_32  - AArch64 (little endian ILP32)
    aarch64_be  - AArch64 (big endian)
    amdgcn      - AMD GCN GPUs
    arm         - ARM
    arm64       - ARM64 (little endian)
    arm64_32    - ARM64 (little endian ILP32)
    armeb       - ARM (big endian)
    avr         - Atmel AVR Microcontroller
    bpf         - BPF (host endian)
    bpfeb       - BPF (big endian)
    bpfel       - BPF (little endian)
    hexagon     - Hexagon
    lanai       - Lanai
    loongarch32 - 32-bit LoongArch
    loongarch64 - 64-bit LoongArch
    mips        - MIPS (32-bit big endian)
    mips64      - MIPS (64-bit big endian)
    mips64el    - MIPS (64-bit little endian)
    mipsel      - MIPS (32-bit little endian)
    msp430      - MSP430 [experimental]
    nvptx       - NVIDIA PTX 32-bit
    nvptx64     - NVIDIA PTX 64-bit
    ppc32       - PowerPC 32
    ppc32le     - PowerPC 32 LE
    ppc64       - PowerPC 64
    ppc64le     - PowerPC 64 LE
    r600        - AMD GPUs HD2XXX-HD6XXX
    riscv32     - 32-bit RISC-V
    riscv64     - 64-bit RISC-V
    sparc       - Sparc
    sparcel     - Sparc LE
    sparcv9     - Sparc V9
    spirv       - SPIR-V Logical
    spirv32     - SPIR-V 32-bit
    spirv64     - SPIR-V 64-bit
    systemz     - SystemZ
    thumb       - Thumb
    thumbeb     - Thumb (big endian)
    ve          - VE
    wasm32      - WebAssembly 32-bit
    wasm64      - WebAssembly 64-bit
    x86         - 32-bit X86: Pentium-Pro and above
    x86-64      - 64-bit X86: EM64T and AMD64
    xcore       - XCore
   Upgrading project in /home/runner/work/dub/dub/
    Starting Performing "release" build using /opt/hostedtoolcache/dc/ldc2-1.39.0/x64/ldc2-1.39.0-linux-x86_64/bin/ldc2 for x86_64.
    Building dub 1.39.0-beta.1 commit.6.g7d35edc9: building configuration [application]
source/dub/internal/dyaml/composer.d(210,43): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/composer.d(232,43): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/composer.d(336,43): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(196,5): Deprecation: cannot access overlapped field `Event.explicitDocument` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(214,5): Deprecation: cannot access overlapped field `Event.explicitDocument` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(241,5): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(148,5): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
source/dub/internal/dyaml/event.d(148,5): Deprecation: cannot access overlapped field `Event.implicit` with unsafe bit patterns in `@safe` code
     Linking dub
STAT:statistics (-before,  after)
STAT:executable size=5293368 bin/dub
STAT:rough build time=61s

Geod24 approved these changes Sep 23, 2024

View reviewed changes

Geod24 merged commit d78df16 into dlang:master Sep 23, 2024
30 of 31 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names #2957

packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names #2957

the-horo commented Aug 11, 2024

github-actions bot commented Aug 11, 2024 •

edited

Loading

packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names #2957

packagesuppliers/filesystem.d: Fix out of bounds on invalid pkg names #2957

Conversation

the-horo commented Aug 11, 2024

github-actions bot commented Aug 11, 2024 • edited Loading

github-actions bot commented Aug 11, 2024 •

edited

Loading