Fix panic when decoding CBOR nil to `*cbor.SimpleValue`

fxamacker / cbor

CBOR codec (RFC 8949) with CBOR tags, Go struct tags (toarray, keyasint, omitempty), float64/32/16, big.Int, and fuzz tested billions of execs.

MIT License

748 stars 61 forks source link

Closed fxamacker closed 11 months ago

fxamacker commented 11 months ago

Closes #460

Unmarshalling CBOR nil or CBOR undefined into a Go pointer should always set the pointer to nil.

This PR:

fixes panic when unmarshalling CBOR nil or CBOR undefined into *cbor.SimpleValue by setting the pointer to nil.
adds more tests for decoding to uninitialized and initialized pointer values.

Separately (not part of this PR), the fuzzer was updated to attempt unmarshaling directly to *cbor.SimpleValue.

fxamacker commented 11 months ago

@x448

Given this fixes a decoder panic, are you going to release v2.5.1 or v2.6.0 with this fix soon?

Probably v2.6.0 because they are new features merged and fuzzed already.

How long was this fix fuzz tested in case we want to use it in production before next release tag?

It's best to wait for release tag before deploying to production, but feel free to try using main branch anytime for tests, etc.

BTW, I have at least 1 more bugfix to merge before tagging.