Commit Graph

1517 Commits

Author SHA1 Message Date
Eugene Kliuchnikov
b915d37a47 Merge branch 'master' into dependabot/github_actions/step-security/harden-runner-2.19.4 2026-06-01 15:05:27 +02:00
Copybara-Service
3907ece8db Merge pull request #1490 from google:eustas-patch-1
PiperOrigin-RevId: 924650836
2026-06-01 05:32:12 -07:00
Eugene Kliuchnikov
65d95f8aa1 Merge branch 'master' into eustas-patch-1 2026-06-01 14:28:00 +02:00
Evgenii Kliuchnikov
7941b467b2 Fix Bazel build
PiperOrigin-RevId: 924648497
2026-06-01 05:25:26 -07:00
dependabot[bot]
c2d0fd3ac9 Bump step-security/harden-runner from 2.17.0 to 2.19.4
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.17.0 to 2.19.4.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](f808768d15...9af89fc715)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-01 12:04:30 +00:00
Copybara-Service
174ac8058b Merge pull request #1486 from google:dependabot/github_actions/github/codeql-action-4.36.0
PiperOrigin-RevId: 924639598
2026-06-01 05:02:19 -07:00
Eugene Kliuchnikov
922fc3c504 Configure Dependabot to group updates
Add grouping for Dependabot updates to combine into a single PR.
2026-06-01 13:26:30 +02:00
dependabot[bot]
e35f83fc36 Bump github/codeql-action from 4.35.1 to 4.36.0
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.1 to 4.36.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](c10b8064de...7211b7c807)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-01 10:24:40 +00:00
Copybara-Service
aa150a1847 Merge pull request #1466 from google:dependabot/github_actions/actions/setup-node-6.4.0
PiperOrigin-RevId: 924598585
2026-06-01 03:22:21 -07:00
Eugene Kliuchnikov
31d450013d Merge branch 'master' into dependabot/github_actions/actions/setup-node-6.4.0 2026-06-01 12:17:58 +02:00
Evgenii Kliuchnikov
6312ee24ce revert API change
PiperOrigin-RevId: 915873630
2026-05-15 01:46:21 -07:00
Evgenii Kliuchnikov
73ba6a2322 make narrowing conversion explicit
PiperOrigin-RevId: 915286311
2026-05-14 01:09:52 -07:00
Evgenii Kliuchnikov
1736fe1d50 Clarify RAW dictionary size limits.
Make decoder addon (chunked dictionary) fields unsigned.
Add comments about expected value ranges.

PiperOrigin-RevId: 914736171
2026-05-13 02:22:01 -07:00
Brotli
af041f55e7 Automated Code Change
PiperOrigin-RevId: 910740603
2026-05-05 09:37:27 -07:00
Copybara-Service
db4dfda9e1 Merge pull request #1463 from parasol-aser:fix/copystat-toctou-1461
PiperOrigin-RevId: 909898919
2026-05-04 02:31:46 -07:00
parasol-aser
7d9d520712 Convert CopyStat regression tests to Python suite 2026-04-30 17:19:28 +00:00
parasol-aser
da05ef838c Fix CopyStat TOCTOU in brotli CLI by using fd-based syscalls
CloseFiles() previously called fclose(context->fout) before invoking
CopyStat() on the output pathname. CopyStat() then used path-based
chmod() and chown(), which gave an attacker with write access to the
output directory a window to replace the path with a symlink between
the close and the metadata syscalls, redirecting the chmod/chown to an
arbitrary target.

Close the race by doing the metadata copy while the output file is
still open and by switching to fd-based syscalls on fileno(fout):

- CopyStat() now takes FILE* fout and calls fchmod()/fchown() on the
  underlying fd.
- CopyTimeStat() uses futimens(fd, ...) in the HAVE_UTIMENSAT branch;
  the legacy utime() fallback is preserved for platforms without it.
- CloseFiles() invokes CopyStat() before fclose() and skips it when
  current_output_path is NULL (stdout), matching the issue's guidance.
- Windows no-op shims updated from chmod/chown to fchmod/fchown.

Adds deterministic regression coverage under tests/regression/t01/:
an LD_PRELOAD fclose() swap reproduces the pre-fix behavior, and a
negative-assertion wrapper confirms the attack no longer succeeds
after the patch. Additional scripts cover mode/timestamp propagation,
the -n (no-copy-stat) flag, stdin input, stdout output, mode mask, and
roundtrip correctness.

Refs google/brotli#1461
2026-04-30 17:19:28 +00:00
dependabot[bot]
81d3468a1a Bump actions/setup-node from 6.3.0 to 6.4.0
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](53b83947a5...48b55a011b)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-21 08:23:51 +00:00
Copybara-Service
ab685df834 Merge pull request #1458 from rbri:java_code_cleanup
PiperOrigin-RevId: 900612609
2026-04-16 02:49:59 -07:00
Ronald Brill
0b30317d4a use try-with-resources 2026-04-15 12:53:05 +02:00
Copybara-Service
737ae47a02 Merge pull request #1453 from 0xazanul:fix/cli-comment-verification-return
PiperOrigin-RevId: 900007299
2026-04-15 01:12:13 -07:00
Eugene Kliuchnikov
66e47ccf02 Merge branch 'master' into fix/cli-comment-verification-return 2026-04-14 14:54:37 +02:00
Copybara-Service
b3dc9ccd61 Merge pull request #1457 from google:dependabot/github_actions/actions/cache-5.0.5
PiperOrigin-RevId: 899533563
2026-04-14 05:46:06 -07:00
Eugene Kliuchnikov
ba70577a2b Merge branch 'master' into fix/cli-comment-verification-return 2026-04-14 14:28:26 +02:00
dependabot[bot]
fa0e46159b Bump actions/cache from 5.0.4 to 5.0.5 (#1457)
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](668228422a...27d5ce7f10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-14 14:27:51 +02:00
Eugene Kliuchnikov
7783fe7ff3 Merge branch 'master' into dependabot/github_actions/actions/cache-5.0.5 2026-04-14 14:14:50 +02:00
dependabot[bot]
f9f3a8cbf9 Bump mymindstorm/setup-emsdk from 15 to 16 (#1456)
Bumps [mymindstorm/setup-emsdk](https://github.com/mymindstorm/setup-emsdk) from 15 to 16.
- [Release notes](https://github.com/mymindstorm/setup-emsdk/releases)
- [Commits](667eb33f24...4528d102f7)

---
updated-dependencies:
- dependency-name: mymindstorm/setup-emsdk
  dependency-version: '16'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-14 14:14:29 +02:00
dependabot[bot]
9b01217df4 Bump actions/cache from 5.0.4 to 5.0.5
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](668228422a...27d5ce7f10)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-14 11:07:10 +00:00
dependabot[bot]
092429c5d4 Bump step-security/harden-runner from 2.16.1 to 2.17.0 (#1455)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.16.1 to 2.17.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](fe10465874...f808768d15)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-14 13:06:07 +02:00
Copybara-Service
1dd49e190f Merge pull request #1444 from robinwatts:master
PiperOrigin-RevId: 899489367
2026-04-14 03:50:27 -07:00
dependabot[bot]
4236b85879 Bump actions/upload-artifact from 7.0.0 to 7.0.1 (#1454)
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](bbbca2ddaa...043fb46d1a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-14 12:07:36 +02:00
Eugene Kliuchnikov
789eaf2fa8 Merge branch 'master' into fix/cli-comment-verification-return 2026-04-13 10:47:50 +02:00
Eugene Kliuchnikov
b7d03391c9 Merge branch 'master' into master 2026-04-13 10:09:36 +02:00
Copybara-Service
37fd9c5c77 Merge pull request #1440 from google:dependabot/github_actions/github/codeql-action-4.35.1
PiperOrigin-RevId: 898835966
2026-04-13 01:08:57 -07:00
Eugene Kliuchnikov
b1e421fdc7 Merge branch 'master' into master 2026-04-13 10:08:41 +02:00
dependabot[bot]
0f75f74b24 Bump github/codeql-action from 4.31.7 to 4.35.1 (#1440)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.7 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](cf1bb45a27...c10b8064de)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-13 09:38:31 +02:00
Eugene Kliuchnikov
8744a23812 Merge branch 'master' into dependabot/github_actions/github/codeql-action-4.35.1 2026-04-13 09:38:18 +02:00
dependabot[bot]
4d7d0bd012 Bump github/codeql-action from 4.31.7 to 4.35.1
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.7 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](cf1bb45a27...c10b8064de)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-04-13 07:38:09 +00:00
dependabot[bot]
69ac87248e Bump actions/download-artifact from 6.0.0 to 8.0.1 (#1441)
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 6.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](018cc2cf5b...3e5f45b2cf)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-13 09:37:45 +02:00
dependabot[bot]
918ef4751b Bump actions/setup-python from 6.1.0 to 6.2.0 (#1442)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](83679a892e...a309ff8b42)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-13 09:37:07 +02:00
dependabot[bot]
183bb3a810 Bump step-security/harden-runner from 2.16.0 to 2.16.1 (#1445)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.16.0 to 2.16.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](fa2e9d605c...fe10465874)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.16.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-13 09:35:05 +02:00
dependabot[bot]
0cd3d87874 Bump mymindstorm/setup-emsdk from 14 to 15 (#1446)
Bumps [mymindstorm/setup-emsdk](https://github.com/mymindstorm/setup-emsdk) from 14 to 15.
- [Release notes](https://github.com/mymindstorm/setup-emsdk/releases)
- [Commits](6ab9eb1bda...667eb33f24)

---
updated-dependencies:
- dependency-name: mymindstorm/setup-emsdk
  dependency-version: '15'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com>
2026-04-13 09:33:45 +02:00
Your Name
2868c3ac9b Return failure on comment mismatch in CLI decompression
The final comment verification check in DecompressFile() detects when
comment_state is not COMMENT_OK but unconditionally returns BROTLI_TRUE.
This causes the -C (comment verification) flag to accept streams with
missing or mismatched comments, keeping the output file and exiting 0.

Add the missing return BROTLI_FALSE inside the mismatch branch so that
comment verification failures are properly propagated to the caller.
2026-04-11 16:37:53 +05:30
Evgenii Kliuchnikov
bad6cb59b5 Make all BrotliOutputStream methods exclusive/blocking.
If access is naturally exclusive, then it is nearly zero-cost (1 atomic CAS)

PiperOrigin-RevId: 896977751
2026-04-09 02:28:14 -07:00
Evgenii Kliuchnikov
4792c8e4c4 Check that total compound dictionary size does not overflow.
Thanks to @0xazanul who reported the problem in #1438

PiperOrigin-RevId: 896638456
2026-04-08 12:24:31 -07:00
Evgenii Kliuchnikov
88b27d494d Fix partial javadocs
PiperOrigin-RevId: 896503460
2026-04-08 08:00:31 -07:00
Robin Watts
7c2def18f6 Fix compilation in ISO C enviroments; declare vars before code. 2026-04-03 19:04:09 +01:00
Copybara-Service
5583858f76 Merge pull request #1413 from leofernandesmo:fix-java-brotliinputstream-null-buffer
PiperOrigin-RevId: 889691589
2026-03-26 01:40:30 -07:00
Copybara-Service
a0f8a2c9ba Merge pull request #1382 from vanschelven:fix-python-docstring
PiperOrigin-RevId: 889690037
2026-03-26 01:36:35 -07:00
Copybara-Service
495f30f8fd Merge pull request #1414 from leofernandesmo:fix-java-brotliinputstream-illegalstateexception
PiperOrigin-RevId: 889681811
2026-03-26 01:12:38 -07:00