Eugene Kliuchnikov
b915d37a47
Merge branch 'master' into dependabot/github_actions/step-security/harden-runner-2.19.4
2026-06-01 15:05:27 +02:00
Copybara-Service
3907ece8db
Merge pull request #1490 from google:eustas-patch-1
...
PiperOrigin-RevId: 924650836
2026-06-01 05:32:12 -07:00
Eugene Kliuchnikov
65d95f8aa1
Merge branch 'master' into eustas-patch-1
2026-06-01 14:28:00 +02:00
Evgenii Kliuchnikov
7941b467b2
Fix Bazel build
...
PiperOrigin-RevId: 924648497
2026-06-01 05:25:26 -07:00
dependabot[bot]
c2d0fd3ac9
Bump step-security/harden-runner from 2.17.0 to 2.19.4
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.17.0 to 2.19.4.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](f808768d15...9af89fc715 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.19.4
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-06-01 12:04:30 +00:00
Copybara-Service
174ac8058b
Merge pull request #1486 from google:dependabot/github_actions/github/codeql-action-4.36.0
...
PiperOrigin-RevId: 924639598
2026-06-01 05:02:19 -07:00
Eugene Kliuchnikov
922fc3c504
Configure Dependabot to group updates
...
Add grouping for Dependabot updates to combine into a single PR.
2026-06-01 13:26:30 +02:00
dependabot[bot]
e35f83fc36
Bump github/codeql-action from 4.35.1 to 4.36.0
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.35.1 to 4.36.0.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](c10b8064de...7211b7c807 )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.36.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-06-01 10:24:40 +00:00
Copybara-Service
aa150a1847
Merge pull request #1466 from google:dependabot/github_actions/actions/setup-node-6.4.0
...
PiperOrigin-RevId: 924598585
2026-06-01 03:22:21 -07:00
Eugene Kliuchnikov
31d450013d
Merge branch 'master' into dependabot/github_actions/actions/setup-node-6.4.0
2026-06-01 12:17:58 +02:00
Evgenii Kliuchnikov
6312ee24ce
revert API change
...
PiperOrigin-RevId: 915873630
2026-05-15 01:46:21 -07:00
Evgenii Kliuchnikov
73ba6a2322
make narrowing conversion explicit
...
PiperOrigin-RevId: 915286311
2026-05-14 01:09:52 -07:00
Evgenii Kliuchnikov
1736fe1d50
Clarify RAW dictionary size limits.
...
Make decoder addon (chunked dictionary) fields unsigned.
Add comments about expected value ranges.
PiperOrigin-RevId: 914736171
2026-05-13 02:22:01 -07:00
Brotli
af041f55e7
Automated Code Change
...
PiperOrigin-RevId: 910740603
2026-05-05 09:37:27 -07:00
Copybara-Service
db4dfda9e1
Merge pull request #1463 from parasol-aser:fix/copystat-toctou-1461
...
PiperOrigin-RevId: 909898919
2026-05-04 02:31:46 -07:00
parasol-aser
7d9d520712
Convert CopyStat regression tests to Python suite
2026-04-30 17:19:28 +00:00
parasol-aser
da05ef838c
Fix CopyStat TOCTOU in brotli CLI by using fd-based syscalls
...
CloseFiles() previously called fclose(context->fout) before invoking
CopyStat() on the output pathname. CopyStat() then used path-based
chmod() and chown(), which gave an attacker with write access to the
output directory a window to replace the path with a symlink between
the close and the metadata syscalls, redirecting the chmod/chown to an
arbitrary target.
Close the race by doing the metadata copy while the output file is
still open and by switching to fd-based syscalls on fileno(fout):
- CopyStat() now takes FILE* fout and calls fchmod()/fchown() on the
underlying fd.
- CopyTimeStat() uses futimens(fd, ...) in the HAVE_UTIMENSAT branch;
the legacy utime() fallback is preserved for platforms without it.
- CloseFiles() invokes CopyStat() before fclose() and skips it when
current_output_path is NULL (stdout), matching the issue's guidance.
- Windows no-op shims updated from chmod/chown to fchmod/fchown.
Adds deterministic regression coverage under tests/regression/t01/:
an LD_PRELOAD fclose() swap reproduces the pre-fix behavior, and a
negative-assertion wrapper confirms the attack no longer succeeds
after the patch. Additional scripts cover mode/timestamp propagation,
the -n (no-copy-stat) flag, stdin input, stdout output, mode mask, and
roundtrip correctness.
Refs google/brotli#1461
2026-04-30 17:19:28 +00:00
dependabot[bot]
81d3468a1a
Bump actions/setup-node from 6.3.0 to 6.4.0
...
Bumps [actions/setup-node](https://github.com/actions/setup-node ) from 6.3.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-node/releases )
- [Commits](53b83947a5...48b55a011b )
---
updated-dependencies:
- dependency-name: actions/setup-node
dependency-version: 6.4.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-21 08:23:51 +00:00
Copybara-Service
ab685df834
Merge pull request #1458 from rbri:java_code_cleanup
...
PiperOrigin-RevId: 900612609
2026-04-16 02:49:59 -07:00
Ronald Brill
0b30317d4a
use try-with-resources
2026-04-15 12:53:05 +02:00
Copybara-Service
737ae47a02
Merge pull request #1453 from 0xazanul:fix/cli-comment-verification-return
...
PiperOrigin-RevId: 900007299
2026-04-15 01:12:13 -07:00
Eugene Kliuchnikov
66e47ccf02
Merge branch 'master' into fix/cli-comment-verification-return
2026-04-14 14:54:37 +02:00
Copybara-Service
b3dc9ccd61
Merge pull request #1457 from google:dependabot/github_actions/actions/cache-5.0.5
...
PiperOrigin-RevId: 899533563
2026-04-14 05:46:06 -07:00
Eugene Kliuchnikov
ba70577a2b
Merge branch 'master' into fix/cli-comment-verification-return
2026-04-14 14:28:26 +02:00
dependabot[bot]
fa0e46159b
Bump actions/cache from 5.0.4 to 5.0.5 ( #1457 )
...
Bumps [actions/cache](https://github.com/actions/cache ) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10 )
---
updated-dependencies:
- dependency-name: actions/cache
dependency-version: 5.0.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-14 14:27:51 +02:00
Eugene Kliuchnikov
7783fe7ff3
Merge branch 'master' into dependabot/github_actions/actions/cache-5.0.5
2026-04-14 14:14:50 +02:00
dependabot[bot]
f9f3a8cbf9
Bump mymindstorm/setup-emsdk from 15 to 16 ( #1456 )
...
Bumps [mymindstorm/setup-emsdk](https://github.com/mymindstorm/setup-emsdk ) from 15 to 16.
- [Release notes](https://github.com/mymindstorm/setup-emsdk/releases )
- [Commits](667eb33f24...4528d102f7 )
---
updated-dependencies:
- dependency-name: mymindstorm/setup-emsdk
dependency-version: '16'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-14 14:14:29 +02:00
dependabot[bot]
9b01217df4
Bump actions/cache from 5.0.4 to 5.0.5
...
Bumps [actions/cache](https://github.com/actions/cache ) from 5.0.4 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases )
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md )
- [Commits](668228422a...27d5ce7f10 )
---
updated-dependencies:
- dependency-name: actions/cache
dependency-version: 5.0.5
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-14 11:07:10 +00:00
dependabot[bot]
092429c5d4
Bump step-security/harden-runner from 2.16.1 to 2.17.0 ( #1455 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.16.1 to 2.17.0.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](fe10465874...f808768d15 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.17.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-14 13:06:07 +02:00
Copybara-Service
1dd49e190f
Merge pull request #1444 from robinwatts:master
...
PiperOrigin-RevId: 899489367
2026-04-14 03:50:27 -07:00
dependabot[bot]
4236b85879
Bump actions/upload-artifact from 7.0.0 to 7.0.1 ( #1454 )
...
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact ) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases )
- [Commits](bbbca2ddaa...043fb46d1a )
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-version: 7.0.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-04-14 12:07:36 +02:00
Eugene Kliuchnikov
789eaf2fa8
Merge branch 'master' into fix/cli-comment-verification-return
2026-04-13 10:47:50 +02:00
Eugene Kliuchnikov
b7d03391c9
Merge branch 'master' into master
2026-04-13 10:09:36 +02:00
Copybara-Service
37fd9c5c77
Merge pull request #1440 from google:dependabot/github_actions/github/codeql-action-4.35.1
...
PiperOrigin-RevId: 898835966
2026-04-13 01:08:57 -07:00
Eugene Kliuchnikov
b1e421fdc7
Merge branch 'master' into master
2026-04-13 10:08:41 +02:00
dependabot[bot]
0f75f74b24
Bump github/codeql-action from 4.31.7 to 4.35.1 ( #1440 )
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.7 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cf1bb45a27...c10b8064de )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.35.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-13 09:38:31 +02:00
Eugene Kliuchnikov
8744a23812
Merge branch 'master' into dependabot/github_actions/github/codeql-action-4.35.1
2026-04-13 09:38:18 +02:00
dependabot[bot]
4d7d0bd012
Bump github/codeql-action from 4.31.7 to 4.35.1
...
Bumps [github/codeql-action](https://github.com/github/codeql-action ) from 4.31.7 to 4.35.1.
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cf1bb45a27...c10b8064de )
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-version: 4.35.1
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
2026-04-13 07:38:09 +00:00
dependabot[bot]
69ac87248e
Bump actions/download-artifact from 6.0.0 to 8.0.1 ( #1441 )
...
Bumps [actions/download-artifact](https://github.com/actions/download-artifact ) from 6.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases )
- [Commits](018cc2cf5b...3e5f45b2cf )
---
updated-dependencies:
- dependency-name: actions/download-artifact
dependency-version: 8.0.1
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-13 09:37:45 +02:00
dependabot[bot]
918ef4751b
Bump actions/setup-python from 6.1.0 to 6.2.0 ( #1442 )
...
Bumps [actions/setup-python](https://github.com/actions/setup-python ) from 6.1.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases )
- [Commits](83679a892e...a309ff8b42 )
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-version: 6.2.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-13 09:37:07 +02:00
dependabot[bot]
183bb3a810
Bump step-security/harden-runner from 2.16.0 to 2.16.1 ( #1445 )
...
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner ) from 2.16.0 to 2.16.1.
- [Release notes](https://github.com/step-security/harden-runner/releases )
- [Commits](fa2e9d605c...fe10465874 )
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.16.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-13 09:35:05 +02:00
dependabot[bot]
0cd3d87874
Bump mymindstorm/setup-emsdk from 14 to 15 ( #1446 )
...
Bumps [mymindstorm/setup-emsdk](https://github.com/mymindstorm/setup-emsdk ) from 14 to 15.
- [Release notes](https://github.com/mymindstorm/setup-emsdk/releases )
- [Commits](6ab9eb1bda...667eb33f24 )
---
updated-dependencies:
- dependency-name: mymindstorm/setup-emsdk
dependency-version: '15'
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eugene Kliuchnikov <eustas.ru@gmail.com >
2026-04-13 09:33:45 +02:00
Your Name
2868c3ac9b
Return failure on comment mismatch in CLI decompression
...
The final comment verification check in DecompressFile() detects when
comment_state is not COMMENT_OK but unconditionally returns BROTLI_TRUE.
This causes the -C (comment verification) flag to accept streams with
missing or mismatched comments, keeping the output file and exiting 0.
Add the missing return BROTLI_FALSE inside the mismatch branch so that
comment verification failures are properly propagated to the caller.
2026-04-11 16:37:53 +05:30
Evgenii Kliuchnikov
bad6cb59b5
Make all BrotliOutputStream methods exclusive/blocking.
...
If access is naturally exclusive, then it is nearly zero-cost (1 atomic CAS)
PiperOrigin-RevId: 896977751
2026-04-09 02:28:14 -07:00
Evgenii Kliuchnikov
4792c8e4c4
Check that total compound dictionary size does not overflow.
...
Thanks to @0xazanul who reported the problem in #1438
PiperOrigin-RevId: 896638456
2026-04-08 12:24:31 -07:00
Evgenii Kliuchnikov
88b27d494d
Fix partial javadocs
...
PiperOrigin-RevId: 896503460
2026-04-08 08:00:31 -07:00
Robin Watts
7c2def18f6
Fix compilation in ISO C enviroments; declare vars before code.
2026-04-03 19:04:09 +01:00
Copybara-Service
5583858f76
Merge pull request #1413 from leofernandesmo:fix-java-brotliinputstream-null-buffer
...
PiperOrigin-RevId: 889691589
2026-03-26 01:40:30 -07:00
Copybara-Service
a0f8a2c9ba
Merge pull request #1382 from vanschelven:fix-python-docstring
...
PiperOrigin-RevId: 889690037
2026-03-26 01:36:35 -07:00
Copybara-Service
495f30f8fd
Merge pull request #1414 from leofernandesmo:fix-java-brotliinputstream-illegalstateexception
...
PiperOrigin-RevId: 889681811
2026-03-26 01:12:38 -07:00