Open setharnold opened 7 years ago
If you're trying to make a xdelta package, are you also going to distribute it as a library? Several interpreter binding projects exist and have to built it on some fashion already.
this for python, a rust crate etc....
I actually really wish the python binding could be a pure python port. It's the only reason my cli utility doesn't install on windows pypi/pip3. According to the author it's really hard to build native libraries python bindings so they work on all distros (they have a hack with a ancient version of centos on a container building against a old clib or something) and the maintainer also doesn't want to built for windows.
This was also my experience with rar. It was much much easier to use the outdated java port and have it work on all platforms than use upstream sadly.
Hello, I gave xdelta3 a very quick look as part of the Ubuntu main inclusion process: https://bugs.launchpad.net/ubuntu/+source/xdelta3/+bug/1647222
I found several instances of integers being multiplied together without any obvious bounds checking to ensure that integer overflows aren't triggered:
Do any of these functions operation on data that may not be completely trusted?
The
calloc(3)
function properly handles multiplication overflow; switching to it would be a good idea.Thanks