Update contrib/restricted/uriparser to 0.9.8

13a17d4e90a208dbf899efe8b92134d3ae98631d
author: robot-contrib <robot-contrib@yandex-team.com> 2024-05-20 07:58:58 +0300
committer: robot-contrib <robot-contrib@yandex-team.com> 2024-05-20 08:06:48 +0300
commit: 685fde8e2a4228200a88a5987a061329f7c59323 (patch)
tree: 8175b25d08a1c42a7d89d90478021a26954df5ba /contrib/restricted
parent: bcd5bcc390793791d293d386b2ebefbe683fb4e1 (diff)
download: ydb-685fde8e2a4228200a88a5987a061329f7c59323.tar.gz
7 files changed, 73 insertions, 20 deletions
diff --git a/contrib/restricted/uriparser/ChangeLog b/contrib/restricted/uriparser/ChangeLog
index 7cf421bd31..8f19bbfc2b 100644
--- a/contrib/restricted/uriparser/ChangeLog
+++ b/contrib/restricted/uriparser/ChangeLog
@@ -2,6 +2,33 @@ NOTE: uriparser is looking for help with a few things:
       https://github.com/uriparser/uriparser/labels/help%20wanted
       If you can help, please get in touch.  Thanks!
 
+2024-05-05 -- 0.9.8
+
+>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+  * Fixed: [CVE-2024-34402]
+      Protect against integer overflow in ComposeQueryEngine
+      (GitHub #183, GitHub #185)
+  * Fixed: [CVE-2024-34403]
+      Protect against integer overflow in ComposeQueryMallocExMm
+      (GitHub #183, GitHub #186)
+>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+  * Changed: Require CMake >=3.5.0 (GitHub #172)
+  * Added: CMake option URIPARSER_SHARED_LIBS=(ON|OFF) to control,
+      whether to produce a shared or static library for uriparser
+      and that alone, falls back to standard BUILD_SHARED_LIBS
+      if available, else defaults to "ON" (GitHub #169, GitHub #170)
+  * Improved: Document that scheme-based normalization a la
+      section 6.2.3 of RFC 3986 is a responsibility of the application
+      using uriparser (GitHub #173, GitHub #174)
+  * Improved: Document supported code points for functions uriEscape(Ex)W
+      (GitHub #171, GitHub #175)
+  * Infrastructure: Update Clang from 15 to 18 (GitHub #161, GitHub #187)
+  * Infrastructure: Adapt to breaking changes in Clang packaging (GitHub #160)
+  * Infrastructure: Get sanitizer CFLAGS and LDFLAGS back in sync (GitHub #161)
+  * Infrastructure: Pin GitHub Actions to specific commits for security
+      (GitHub #165)
+  * Soname: 1:31:0 — see https://verbump.de/ for what these numbers do
+
 2022-10-05 -- 0.9.7
 
   * Fixed: Multiple issues with IPv6 and IPvFuture literal parsing
diff --git a/contrib/restricted/uriparser/README.md b/contrib/restricted/uriparser/README.md
index 2846e9d042..d399ca2f54 100644
--- a/contrib/restricted/uriparser/README.md
+++ b/contrib/restricted/uriparser/README.md
@@ -20,7 +20,7 @@ please check out [https://uriparser.github.io/](https://uriparser.github.io/).
 # Example use from an existing CMake project
 
 ```cmake
-cmake_minimum_required(VERSION 3.3)
+cmake_minimum_required(VERSION 3.5.0)
 
 project(hello VERSION 1.0.0)
 
@@ -49,9 +49,6 @@ target_link_libraries(hello PUBLIC uriparser::uriparser)
 ## Available CMake options (and defaults)
 ```console
 # rm -f CMakeCache.txt ; cmake -LH . | grep -B1 ':.*=' | sed 's,--,,'
-// Build shared libraries (rather than static ones)
-BUILD_SHARED_LIBS:BOOL=ON
-
 // Choose the type of build, options are: None Debug Release RelWithDebInfo MinSizeRel ...
 CMAKE_BUILD_TYPE:STRING=
 
@@ -82,6 +79,9 @@ URIPARSER_ENABLE_INSTALL:BOOL=ON
 // Use of specific runtime library (/MT /MTd /MD /MDd) with MSVC
 URIPARSER_MSVC_RUNTIME:STRING=
 
+// Build shared libraries (rather than static ones)
+URIPARSER_SHARED_LIBS:BOOL=ON
+
 // Treat all compiler warnings as errors
 URIPARSER_WARNINGS_AS_ERRORS:BOOL=OFF
 ```
diff --git a/contrib/restricted/uriparser/UriConfig.h b/contrib/restricted/uriparser/UriConfig.h
index d1c07bab7c..2b67bd31ee 100644
--- a/contrib/restricted/uriparser/UriConfig.h
+++ b/contrib/restricted/uriparser/UriConfig.h
@@ -41,7 +41,7 @@
 
 
 
-#define PACKAGE_VERSION "0.9.7"
+#define PACKAGE_VERSION "0.9.8"
 
 #define HAVE_WPRINTF
 #define HAVE_REALLOCARRAY
diff --git a/contrib/restricted/uriparser/include/uriparser/Uri.h b/contrib/restricted/uriparser/include/uriparser/Uri.h
index d2c86103ec..b80ac6cab7 100644
--- a/contrib/restricted/uriparser/include/uriparser/Uri.h
+++ b/contrib/restricted/uriparser/include/uriparser/Uri.h
@@ -1,4 +1,4 @@
-/* 4bf720e0ca97527a28e4c30f1c35b36a0b5f2697265c5ddc81080eaab4344ef2 (0.9.7+)
+/* e8e2c75d033ddfe256fe87c3fd5a330a6f2c9cbb376ebd83a1b3263e804c766a (0.9.8+)
  *
  * uriparser - RFC 3986 URI parsing library
  *
@@ -352,10 +352,19 @@ URI_PUBLIC int URI_FUNC(FreeUriMembersMm)(URI_TYPE(Uri) * uri,
 /**
  * Percent-encodes all unreserved characters from the input string and
  * writes the encoded version to the output string.
- * Be sure to allocate <b>3 times</b> the space of the input buffer for
+ *
+ * NOTE: Be sure to allocate <b>3 times</b> the space of the input buffer for
  * the output buffer for <c>normalizeBreaks == URI_FALSE</c> and <b>6 times</b>
  * the space for <c>normalizeBreaks == URI_TRUE</c>
- * (since e.g. "\x0d" becomes "%0D%0A" in that case)
+ * (since e.g. "\x0d" becomes "%0D%0A" in that case).
+ *
+ * NOTE: The implementation treats (both <c>char</c> and) <c>wchar_t</c> units
+ * as code point integers, which works well for code points <c>U+0001</c> to <c>U+00ff</c>
+ * in host-native endianness but nothing more;
+ * in particular, using <c>uriEscapeExW</c> with arbitrary Unicode input will
+ * not produce healthy results.
+ * Passing UTF-8 input to <c>uriEscapeExA</c> may be useful in some scenarios.
+ * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987).
  *
  * @param inFirst           <b>IN</b>: Pointer to first character of the input text
  * @param inAfterLast       <b>IN</b>: Pointer after the last character of the input text
@@ -377,10 +386,19 @@ URI_PUBLIC URI_CHAR * URI_FUNC(EscapeEx)(const URI_CHAR * inFirst,
 /**
  * Percent-encodes all unreserved characters from the input string and
  * writes the encoded version to the output string.
- * Be sure to allocate <b>3 times</b> the space of the input buffer for
+ *
+ * NOTE: Be sure to allocate <b>3 times</b> the space of the input buffer for
  * the output buffer for <c>normalizeBreaks == URI_FALSE</c> and <b>6 times</b>
  * the space for <c>normalizeBreaks == URI_TRUE</c>
- * (since e.g. "\x0d" becomes "%0D%0A" in that case)
+ * (since e.g. "\x0d" becomes "%0D%0A" in that case).
+ *
+ * NOTE: The implementation treats (both <c>char</c> and) <c>wchar_t</c> units
+ * as code point integers, which works well for code points <c>U+0001</c> to <c>U+00ff</c>
+ * in host-native endianness but nothing more;
+ * in particular, using <c>uriEscapeW</c> with arbitrary Unicode input will
+ * not produce healthy results.
+ * Passing UTF-8 input to <c>uriEscapeA</c> may be useful in some scenarios.
+ * Keep in mind that uriparser is about %URI (RFC 3986) not %IRI (RFC 3987).
  *
  * @param in                <b>IN</b>: Text source
  * @param out               <b>OUT</b>: Encoded text destination
@@ -608,6 +626,10 @@ URI_PUBLIC int URI_FUNC(ToStringCharsRequired)(const URI_TYPE(Uri) * uri,
  * Converts a %URI structure back to text as described in
  * <a href="http://tools.ietf.org/html/rfc3986#section-5.3">section 5.3 of RFC 3986</a>.
  *
+ * NOTE: Scheme-based normalization
+ * (<a href="http://tools.ietf.org/html/rfc3986#section-6.2.3">section 6.2.3 of RFC 3986</a>)
+ * is not applied and is considered a responsibility of the application using uriparser.
+ *
  * @param dest           <b>OUT</b>: Output destination
  * @param uri            <b>IN</b>: %URI to convert
  * @param maxChars       <b>IN</b>: Maximum number of characters to copy <b>including</b> terminator
diff --git a/contrib/restricted/uriparser/include/uriparser/UriBase.h b/contrib/restricted/uriparser/include/uriparser/UriBase.h
index 76a746cb1f..8a130e3e37 100644
--- a/contrib/restricted/uriparser/include/uriparser/UriBase.h
+++ b/contrib/restricted/uriparser/include/uriparser/UriBase.h
@@ -55,7 +55,7 @@
 /* Version */
 #define URI_VER_MAJOR           0
 #define URI_VER_MINOR           9
-#define URI_VER_RELEASE         7
+#define URI_VER_RELEASE         8
 #define URI_VER_SUFFIX_ANSI     ""
 #define URI_VER_SUFFIX_UNICODE  URI_ANSI_TO_UNICODE(URI_VER_SUFFIX_ANSI)
 
diff --git a/contrib/restricted/uriparser/src/UriQuery.c b/contrib/restricted/uriparser/src/UriQuery.c
index b2734bc2c8..bbc1548877 100644
--- a/contrib/restricted/uriparser/src/UriQuery.c
+++ b/contrib/restricted/uriparser/src/UriQuery.c
@@ -70,6 +70,7 @@
 
 
 #include <limits.h>
+#include <stddef.h> /* size_t */
 
 
 
@@ -177,10 +178,13 @@ int URI_FUNC(ComposeQueryMallocExMm)(URI_CHAR ** dest,
 	if (res != URI_SUCCESS) {
 		return res;
 	}
+	if (charsRequired == INT_MAX) {
+	    return URI_ERROR_MALLOC;
+	}
 	charsRequired++;
 
 	/* Allocate space */
-	queryString = memory->malloc(memory, charsRequired * sizeof(URI_CHAR));
+	queryString = memory->calloc(memory, charsRequired, sizeof(URI_CHAR));
 	if (queryString == NULL) {
 		return URI_ERROR_MALLOC;
 	}
@@ -218,16 +222,16 @@ int URI_FUNC(ComposeQueryEngine)(URI_CHAR * dest,
 		const URI_CHAR * const key = queryList->key;
 		const URI_CHAR * const value = queryList->value;
 		const int worstCase = (normalizeBreaks == URI_TRUE ? 6 : 3);
-		const int keyLen = (key == NULL) ? 0 : (int)URI_STRLEN(key);
+		const size_t keyLen = (key == NULL) ? 0 : URI_STRLEN(key);
 		int keyRequiredChars;
-		const int valueLen = (value == NULL) ? 0 : (int)URI_STRLEN(value);
+		const size_t valueLen = (value == NULL) ? 0 : URI_STRLEN(value);
 		int valueRequiredChars;
 
-		if ((keyLen >= INT_MAX / worstCase) || (valueLen >= INT_MAX / worstCase)) {
+		if ((keyLen >= (size_t)INT_MAX / worstCase) || (valueLen >= (size_t)INT_MAX / worstCase)) {
 			return URI_ERROR_OUTPUT_TOO_LARGE;
 		}
-		keyRequiredChars = worstCase * keyLen;
-		valueRequiredChars = worstCase * valueLen;
+		keyRequiredChars = worstCase * (int)keyLen;
+		valueRequiredChars = worstCase * (int)valueLen;
 
 		if (dest == NULL) {
 			(*charsRequired) += ampersandLen + keyRequiredChars + ((value == NULL)
diff --git a/contrib/restricted/uriparser/ya.make b/contrib/restricted/uriparser/ya.make
index d78a6d3145..f282121c00 100644
--- a/contrib/restricted/uriparser/ya.make
+++ b/contrib/restricted/uriparser/ya.make
@@ -1,4 +1,4 @@
-# Generated by devtools/yamaker from nixpkgs 22.05.
+# Generated by devtools/yamaker from nixpkgs 22.11.
 
 LIBRARY()
 
@@ -6,9 +6,9 @@ LICENSE(BSD-3-Clause)
 
 LICENSE_TEXTS(.yandex_meta/licenses.list.txt)
 
-VERSION(0.9.7)
+VERSION(0.9.8)
 
-ORIGINAL_SOURCE(https://github.com/uriparser/uriparser/archive/uriparser-0.9.7.tar.gz)
+ORIGINAL_SOURCE(https://github.com/uriparser/uriparser/archive/uriparser-0.9.8.tar.gz)
 
 PEERDIR(
     contrib/libs/libc_compat
author	robot-contrib <robot-contrib@yandex-team.com>	2024-05-20 07:58:58 +0300
committer	robot-contrib <robot-contrib@yandex-team.com>	2024-05-20 08:06:48 +0300
commit	685fde8e2a4228200a88a5987a061329f7c59323 (patch)
tree	8175b25d08a1c42a7d89d90478021a26954df5ba /contrib/restricted
parent	bcd5bcc390793791d293d386b2ebefbe683fb4e1 (diff)
download	ydb-685fde8e2a4228200a88a5987a061329f7c59323.tar.gz