Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2217964/?format=api
{ "id": 2217964, "url": "http://patchwork.ozlabs.org/api/patches/2217964/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260331070914.459068-1-titouan.christophe@mind.be/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260331070914.459068-1-titouan.christophe@mind.be>", "list_archive_url": null, "date": "2026-03-31T07:09:14", "name": "[for,2025.02.x] package/rauc: add patch for CVE-2026-34155", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "0358c18e3d27c299b4976de2bcef4990e87c1dac", "submitter": { "id": 90763, "url": "http://patchwork.ozlabs.org/api/people/90763/?format=api", "name": "Titouan Christophe", "email": "titouan.christophe@mind.be" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260331070914.459068-1-titouan.christophe@mind.be/mbox/", "series": [ { "id": 498130, "url": "http://patchwork.ozlabs.org/api/series/498130/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=498130", "date": "2026-03-31T07:09:14", "name": "[for,2025.02.x] package/rauc: add patch for CVE-2026-34155", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/498130/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2217964/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2217964/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=KxjWwhEF;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4flK4Q2k8Nz1xtJ\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Tue, 31 Mar 2026 18:09:42 +1100 (AEDT)", "from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 0356C8230B;\n\tTue, 31 Mar 2026 07:09:41 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id QMOUo3628mOL; Tue, 31 Mar 2026 07:09:40 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id E76AE8230C;\n\tTue, 31 Mar 2026 07:09:39 +0000 (UTC)", "from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n by lists1.osuosl.org (Postfix) with ESMTP id 79E2D2C5\n for <buildroot@buildroot.org>; Tue, 31 Mar 2026 07:09:38 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 5FC418230C\n for <buildroot@buildroot.org>; Tue, 31 Mar 2026 07:09:38 +0000 (UTC)", "from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id B65ond3fqd_M for <buildroot@buildroot.org>;\n Tue, 31 Mar 2026 07:09:37 +0000 (UTC)", "from mail-wm1-x332.google.com (mail-wm1-x332.google.com\n [IPv6:2a00:1450:4864:20::332])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 8E0E78230B\n for <buildroot@buildroot.org>; Tue, 31 Mar 2026 07:09:36 +0000 (UTC)", "by mail-wm1-x332.google.com with SMTP id\n 5b1f17b1804b1-48700b1ba53so47922835e9.1\n for <buildroot@buildroot.org>; Tue, 31 Mar 2026 00:09:35 -0700 (PDT)", "from dragon (ptr-94-109-16-81.dyn.orange.be. [94.109.16.81])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4887a648f3dsm17789635e9.0.2026.03.31.00.09.33\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 31 Mar 2026 00:09:33 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp1.osuosl.org E76AE8230C", "OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8E0E78230B" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1774940980;\n\tbh=NbAOJWvN3XiPjjT1SF5srf8SgEeXTa8r4jp1TC9Abaw=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=KxjWwhEFU/FNmZVbaplBb7ZeZ73X/ADOISyx37wvQlxT0TDgCLLubVw155UOhv1MU\n\t yF0SrZixXHgnojudrH1Bq+m0FwWDH4W+3BhbZRbwH3qoE24LNqR1iYYv4v71vhjXGn\n\t fr/0+85vATkHrkvckPhrQsLIOqSosDV+0H4/KwkHpbb6TXj5iMEyY8hKNaQIwgLrXA\n\t L1HbPJEyMug//ZRuJ8S0kE0VQe8CeBoCogpTZmnjgg3+Qh5kiEuwZhTSovdDCthmqh\n\t wOe+Zoa36lGa2RuHxoM33GeiwQ8G/3Kk8Id3CibK1qslw17RMsdKtTB3wtEp4EMNNs\n\t yJKUoohVKoxjw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::332; helo=mail-wm1-x332.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp1.osuosl.org 8E0E78230B", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1774940974; x=1775545774;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=3mKKFRczhcUV7sZwUWnOUMEkpWRBBp1iKwpPfxrMq7g=;\n b=qIZQ3bib+ohTaho5Do8EwB7b6F34LSmtyOcW0foaAR7be6sVVsBeGJVS3zUoN2Iz5M\n NxxcIxtnUz2fnQx4gdrxazALo7wpuEuMHQNQcbQuprCm+U18P1BrcfW57IoirieHlfiT\n 17gW6J+8jmwAzW29X/IiKq/SfjCihBLkVJvGOPdHTGaw04NE3+R18DbbFhdfBKipkbJw\n 72V6pD8KdLayzc5wYnCcX4qC96u3R/F+oBh6Ddgmt/VpKy1nUzSL+SqS9yefvvl2rbxR\n 0gQ3X/yB62J/UAHTti/mDG/cS0V2V3br3JiT9I86VT0gd6/AjPp4XT0WmKii+6OBIZdl\n 1nPg==", "X-Gm-Message-State": "AOJu0Ywi46GRZghbgUMbvnp3X7nYyrAsWOoWW02pLioFJYuBc3IVdC/x\n Oeb8M5lGjE/3ATgrbnWGoisMWglKs8Ry42AUalY7tFlYkFuAtktKnOFX/yWYPcenVLwlSHQxbF1\n iHzaA", "X-Gm-Gg": "ATEYQzwGp0KqTzrvBQOd0I/FnorVqWdJQ3J5rY3k4552RU3CIQZJe4No8aoLIxkOWez\n +lA2bSYm5OyyOm1PllTj/HudFfXKSRCwj74a9wNp64IUu2jxh9BywnYG75NuVflcG51f84Lvm/V\n Z/U8lRrMbspl1zZ2G5rThcI7mVPpZIGNiKj/+pse2rF5a/KYVQd1h0TifGiBnsqKffoDFvHMsqy\n NocIjYZ6ORJzjWO4KZgi8un7ANbXdrODOtdw4RM1XKOvbN4C/kc9LD93OigPIOp4Q1LTe08q/8D\n jFFB3aGP/xF8gF/EdJx0AUFlt3R4dmwPnOHy1i9fjmObTsEYXkXzxXEFLBbLZVT0cajj0LH4lqD\n +HLwE/k6RNgrc+jeK2hP67LCIIjbK7VjVeYVLpXbsZrA7sDsE2UJxyYBal4lfaE7cFqNgktEFTX\n vDYV1kbtYyXXSs8jy9dMQbqzHUW1G9ClSA/2JV6FJJXQsP4vv7XegcXa8=", "X-Received": "by 2002:a05:600d:e:b0:485:5812:bb9e with SMTP id\n 5b1f17b1804b1-48727d31801mr224676675e9.0.1774940973814;\n Tue, 31 Mar 2026 00:09:33 -0700 (PDT)", "To": "buildroot@buildroot.org", "Cc": "Andrey Yurovsky <yurovsky@gmail.com>,\n Heiko Thiery <heiko.thiery@gmail.com>, thomas.perale@mind.be", "Date": "Tue, 31 Mar 2026 09:09:14 +0200", "Message-ID": "<20260331070914.459068-1-titouan.christophe@mind.be>", "X-Mailer": "git-send-email 2.53.0", "MIME-Version": "1.0", "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1774940974; x=1775545774; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=3mKKFRczhcUV7sZwUWnOUMEkpWRBBp1iKwpPfxrMq7g=;\n b=XM7xe+yhOgluJES2zWxoDVJMX3SEsHG29K863ZZucBTRnYyNEAG65BgpD2wA4Ml/TR\n SVVVaWNUID+BcAsHF9quiHboOpLHnM5HNEH8eLlda/Iwd3Zk0iC4UYcW1rZhw82iOgus\n ClGCM4y04rwcL3md2N8bfF4c7ZGGEigCtuHwjCVRm/MRVzLWX/KYTEHAiCkc9BAaz/ag\n dHTTB/cbIy9J5qDGD1zm5GOOPbXxP4NtCwaRjsrLDoGWEvFKvFiwavhomyk2skE1FrlW\n WF3yL0voHYCXF5CNkl8zG+8C8dHGqHW3oPUPA0hkE97nJaxY2F+ylIbMqW6UExyIVp3Q\n egsg==", "X-Mailman-Original-Authentication-Results": [ "smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be", "smtp1.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=mind.be header.i=@mind.be header.a=rsa-sha256\n header.s=google header.b=XM7xe+yh" ], "Subject": "[Buildroot] [PATCH for 2025.02.x] package/rauc: add patch for\n CVE-2026-34155", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "From": "Titouan Christophe via buildroot <buildroot@buildroot.org>", "Reply-To": "Titouan Christophe <titouan.christophe@mind.be>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "This fixes the following vulnerability:\n\n RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB\n cause an integer overflow which results in a signature which covers only\n the first few bytes of the payload. Given such a bundle with a legitimate\n signature, an attacker can modify the part of the payload which is not\n covered by the signature. Bundles using the recommended 'verity' or\n 'crypt' formats are not affected. They are supported from v1.5\n (released 2020-12-14) and v1.7 (released 2022-06-03) respectively.\n If all signed and published bundles were smaller than 2GiB,\n the vulnerability cannot be exploited.\n https://github.com/rauc/rauc/security/advisories/GHSA-6hj7-q844-m2hx\n\nSigned-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n package/rauc/0001-fix-cve-2026-34155.patch | 219 +++++++++++++++++++++\n 1 file changed, 219 insertions(+)\n create mode 100644 package/rauc/0001-fix-cve-2026-34155.patch", "diff": "diff --git a/package/rauc/0001-fix-cve-2026-34155.patch b/package/rauc/0001-fix-cve-2026-34155.patch\nnew file mode 100644\nindex 0000000000..dccb6f0d4c\n--- /dev/null\n+++ b/package/rauc/0001-fix-cve-2026-34155.patch\n@@ -0,0 +1,219 @@\n+From f482e9f2ce34697844332db531b4b8be1e4b6043 Mon Sep 17 00:00:00 2001\n+From: Titouan Christophe <titouan.christophe@mind.be>\n+Date: Tue, 31 Mar 2026 08:49:13 +0200\n+Subject: [PATCH] Fix CVE-2026-34155\n+\n+This is the concatenation of the 2 upstream commits that make the actual\n+change between rauc v1.15.1 and 1.15.2; rebased on top of rauc v1.13\n+\n+===============================================================================\n+[1/2] src/signature: protect against integer overflows with BIO_new_mem_buf()\n+\n+BIO_new_mem_buf()'s len argument is of type int, so it cannot support\n+lengths exceeding 2 GiB. Reject larger lengths and additionally check\n+that we have created the BIO correctly.\n+\n+These are only internal checks, GError handling will be added in a later\n+commit.\n+\n+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>\n+\n+Upstream: https://github.com/rauc/rauc/commit/bbdf9f04a96a7094e11cfa822d695bc7f33dbf61\n+===============================================================================\n+[2/2] src/signature: reject plain bundles with payload exceeding 2 GiB\n+\n+Due to BIO_new_mem_buf() only supporting buffers of up to 2 GiB, we\n+cannot sign or verify bundles with a payload larger than that.\n+\n+This fixes an integer overflow which would lead to calling\n+BIO_new_mem_buf() with a negative len, which will cause it to use\n+strlen() to to determine the buffer size automatically. As a result,\n+the buffer is truncated at the first '\\0' byte in the SquashFS header.\n+The first 4 bytes are a fixed magic number (\"hsqs\"), and since a '\\0'\n+byte appears within the inode count field at bytes 5-8 in most SquashFS\n+images, the resulting signature will only cover this part of the\n+SquashFS header.\n+\n+As we sign or verify the payload directly via OpenSSL only for the\n+'plain' format, the 'verity' and 'crypt' formats are not affected.\n+\n+Fix this by checking the content size before calling cms_sign_file() or\n+cms_verify_bytes(), which call BIO_new_mem_buf() via bytes_as_bio().\n+\n+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>\n+\n+Upstream: https://github.com/rauc/rauc/commit/662a212fc16b736bfed163ebb7349a53881803cd\n+===============================================================================\n+\n+CVE: CVE-2026-34155\n+\n+Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n+---\n+ src/signature.c | 32 ++++++++++++++++++++++++++++++++\n+ test/signature.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++\n+ 2 files changed, 78 insertions(+)\n+\n+diff --git a/src/signature.c b/src/signature.c\n+index 88f6e790..ca06bfa6 100644\n+--- a/src/signature.c\n++++ b/src/signature.c\n+@@ -414,11 +414,19 @@ static BIO *bytes_as_bio(GBytes *bytes)\n+ \t\tg_error(\"bytes_as_bio: no data\");\n+ \tif (size == 0)\n+ \t\tg_error(\"bytes_as_bio: size is zero\");\n++\tif (size > INT_MAX)\n++\t\tg_error(\"bytes_as_bio: size is too large for BIO_new_mem_buf\");\n+ \n+ \tbio = BIO_new_mem_buf(data, size);\n+ \tif (!bio)\n+ \t\tg_error(\"bytes_as_bio: BIO_new_mem_buf() failed\");\n+ \n++\t/* ensure that we've passed the data correctly */\n++\tconst BUF_MEM *bio_mem_buf = NULL;\n++\tBIO_get_mem_ptr(bio, &bio_mem_buf);\n++\tg_assert(bio_mem_buf->data == data);\n++\tg_assert(bio_mem_buf->length == size);\n++\n+ \treturn bio;\n+ }\n+ \n+@@ -1420,6 +1428,7 @@ GBytes *cms_sign_file(const gchar *filename, const gchar *certfile, const gchar\n+ \tGError *ierror = NULL;\n+ \tg_autoptr(GMappedFile) file = NULL;\n+ \tg_autoptr(GBytes) content = NULL;\n++\tgsize content_size = 0;\n+ \tGBytes *sig = NULL;\n+ \n+ \tg_return_val_if_fail(filename != NULL, FALSE);\n+@@ -1434,6 +1443,17 @@ GBytes *cms_sign_file(const gchar *filename, const gchar *certfile, const gchar\n+ \t}\n+ \tcontent = g_mapped_file_get_bytes(file);\n+ \n++\tG_STATIC_ASSERT(INT_MAX >= INT32_MAX);\n++\tcontent_size = g_bytes_get_size(content);\n++\tif (content_size > INT32_MAX) {\n++\t\tg_set_error(\n++\t\t\t\terror,\n++\t\t\t\tR_SIGNATURE_ERROR,\n++\t\t\t\tR_SIGNATURE_ERROR_LOAD_FAILED,\n++\t\t\t\t\"Bundle payload size %\"G_GSIZE_FORMAT \" exceeds maximum for bundles using plain format (2 GiB)\", content_size);\n++\t\tgoto out;\n++\t}\n++\n+ \tsig = cms_sign(content, TRUE, certfile, keyfile, interfiles, &ierror);\n+ \tif (sig == NULL) {\n+ \t\tg_propagate_error(error, ierror);\n+@@ -1479,6 +1499,7 @@ gboolean cms_verify_fd(gint fd, GBytes *sig, goffset limit, X509_STORE *store, C\n+ \tGError *ierror = NULL;\n+ \tg_autoptr(GMappedFile) file = NULL;\n+ \tg_autoptr(GBytes) content = NULL;\n++\tgsize content_size = 0;\n+ \tgboolean res = FALSE;\n+ \n+ \tg_return_val_if_fail(fd >= 0, FALSE);\n+@@ -1515,6 +1536,17 @@ gboolean cms_verify_fd(gint fd, GBytes *sig, goffset limit, X509_STORE *store, C\n+ \t\tcontent = tmp;\n+ \t}\n+ \n++\tG_STATIC_ASSERT(INT_MAX >= INT32_MAX);\n++\tcontent_size = g_bytes_get_size(content);\n++\tif (content_size > INT32_MAX) {\n++\t\tg_set_error(\n++\t\t\t\terror,\n++\t\t\t\tR_SIGNATURE_ERROR,\n++\t\t\t\tR_SIGNATURE_ERROR_LOAD_FAILED,\n++\t\t\t\t\"Bundle payload size %\"G_GSIZE_FORMAT \" exceeds maximum for bundles using plain format (2 GiB)\", content_size);\n++\t\tgoto out;\n++\t}\n++\n+ \tres = cms_verify_bytes(content, sig, store, cms, NULL, &ierror);\n+ \tif (!res) {\n+ \t\tg_propagate_error(error, ierror);\n+diff --git a/test/signature.c b/test/signature.c\n+index 7fc9a4f3..7a16c1b1 100644\n+--- a/test/signature.c\n++++ b/test/signature.c\n+@@ -10,6 +10,7 @@\n+ #include \"common.h\"\n+ \n+ typedef struct {\n++\tgchar *tmpdir;\n+ \tGBytes *content;\n+ \tGBytes *sig;\n+ \tGError *error;\n+@@ -23,6 +24,8 @@ static void signature_set_up(SignatureFixture *fixture,\n+ {\n+ \tr_context_conf();\n+ \n++\tfixture->tmpdir = g_dir_make_tmp(\"rauc-XXXXXX\", NULL);\n++\tg_assert_nonnull(fixture->tmpdir);\n+ \tfixture->content = read_file(\"test/openssl-ca/manifest\", NULL);\n+ \tg_assert_nonnull(fixture->content);\n+ \tfixture->sig = NULL;\n+@@ -39,6 +42,10 @@ static void signature_set_up(SignatureFixture *fixture,\n+ static void signature_tear_down(SignatureFixture *fixture,\n+ \t\tgconstpointer user_data)\n+ {\n++\tif (fixture->tmpdir)\n++\t\tg_assert_true(rm_tree(fixture->tmpdir, NULL));\n++\n++\tg_free(fixture->tmpdir);\n+ \tg_bytes_unref(fixture->content);\n+ \tg_bytes_unref(fixture->sig);\n+ \tg_clear_error(&fixture->error);\n+@@ -275,6 +282,44 @@ static void signature_verify_file(SignatureFixture *fixture,\n+ \tg_clear_error(&fixture->error);\n+ }\n+ \n++static void signature_too_large(SignatureFixture *fixture,\n++\t\tgconstpointer user_data)\n++{\n++\tgboolean res = FALSE;\n++\n++\tg_autofree gchar *payloadname = write_random_file(fixture->tmpdir, \"payload\", 1024, 1234);\n++\tg_assert_nonnull(payloadname);\n++\tfixture->sig = read_file(\"test/openssl-ca/manifest-r1.sig\", NULL);\n++\tg_assert_nonnull(fixture->sig);\n++\n++\tgoffset large_size = (goffset)INT32_MAX+1;\n++\n++\tg_assert_cmpint(truncate(payloadname, large_size), ==, 0);\n++\tg_autoptr(GBytes) sig = cms_sign_file(payloadname,\n++\t\t\t\"test/openssl-ca/rel/release-1.cert.pem\",\n++\t\t\t\"test/openssl-ca/rel/private/release-1.pem\",\n++\t\t\tNULL,\n++\t\t\t&fixture->error);\n++\tg_assert_null(sig);\n++\tg_assert_error(fixture->error, R_SIGNATURE_ERROR, R_SIGNATURE_ERROR_LOAD_FAILED);\n++\tg_clear_error(&fixture->error);\n++\n++\tg_assert_cmpint(truncate(payloadname, large_size + 1024), ==, 0);\n++\tgint fd = g_open(payloadname, O_RDONLY|O_CLOEXEC, 0);\n++\tg_assert_cmpint(fd, >=, 0);\n++\tres = cms_verify_fd(fd,\n++\t\t\tfixture->sig,\n++\t\t\tlarge_size,\n++\t\t\tfixture->store,\n++\t\t\t&fixture->cms,\n++\t\t\t&fixture->error);\n++\tg_assert_false(res);\n++\tg_assert_error(fixture->error, R_SIGNATURE_ERROR, R_SIGNATURE_ERROR_LOAD_FAILED);\n++\tg_assert_null(fixture->cms);\n++\tg_clear_error(&fixture->error);\n++\tg_close(fd, NULL);\n++}\n++\n+ static void signature_loopback_detached(SignatureFixture *fixture,\n+ \t\tgconstpointer user_data)\n+ {\n+@@ -828,6 +873,7 @@ int main(int argc, char *argv[])\n+ \tg_test_add(\"/signature/verify_valid\", SignatureFixture, NULL, signature_set_up, signature_verify_valid, signature_tear_down);\n+ \tg_test_add(\"/signature/verify_invalid\", SignatureFixture, NULL, signature_set_up, signature_verify_invalid, signature_tear_down);\n+ \tg_test_add(\"/signature/verify_file\", SignatureFixture, NULL, signature_set_up, signature_verify_file, signature_tear_down);\n++\tg_test_add(\"/signature/too_large\", SignatureFixture, NULL, signature_set_up, signature_too_large, signature_tear_down);\n+ \tg_test_add(\"/signature/loopback_detached\", SignatureFixture, NULL, signature_set_up, signature_loopback_detached, signature_tear_down);\n+ \tg_test_add(\"/signature/loopback_inline\", SignatureFixture, NULL, signature_set_up, signature_loopback_inline, signature_tear_down);\n+ \tg_test_add(\"/signature/get_cert_chain\", SignatureFixture, NULL, signature_set_up, signature_get_cert_chain, signature_tear_down);\n+-- \n+2.53.0\n+\n", "prefixes": [ "for", "2025.02.x" ] }