tag name | v2.0.10 (1a9a8754297fba74de7276bc0a6589491f8d89f3) |
tag date | 2020-06-28 14:43:48 +0300 |
tagged by | GitHub Actions <action@github.com> |
tagged object | commit 1356af61c5... |
- Release date: 2017-01-02
- SHA-256: ec27d4e74e9ce0f78066389a70724afd07f10761009322dc020656704ad5296d
This release fixes several security-relevant bugs in the MessagePack and CBOR parsers. The fixes are backwards compatible.
- :bug: Fixed a lot of **bugs in the CBOR and MesssagePack parsers**. These bugs occurred if invalid input was parsed and then could lead in buffer overflows. These bugs were found with Google's [OSS-Fuzz](https://github.com/google/oss-fuzz), see #405, #407, #408, #409, #411, and #412 for more information.
- :construction_worker: We now also use the **[Doozer](https://doozer.io) continuous integration platform**.
- :construction_worker: The complete test suite is now also run with **Clang's address sanitizer and undefined-behavior sanitizer**.
- :white_check_mark: Overworked **fuzz testing**; CBOR and MessagePack implementations are now fuzz-tested. Furthermore, all fuzz tests now include a round trip which ensures created output can again be properly parsed and yields the same JSON value.
- :memo: Clarified documentation of `find()` function to always return `end()` when called on non-object value types.
- :hammer: Moved thirdparty test code to `test/thirdparty` directory.