Hi, Julian Andres Klode <jak@debian.org> (2023-11-02): > You are literally just fuzzing the tagfile parser with compressed > streams, there is no decompression going on. > > We don't talk to the the file-like object you pass to at all, we just > call it's fileno() method to get the underlying file descriptor, and > then apt's gzip support reads from that, and that works automagically > because zlib just passes through uncompressed content. OK. > If you want it to automatically guess the compressor, you can do that > by passing a filename with the right file extension. OK. I suppose people can easily get caught off guard since what we would expect to work… actually does work with gzip (which I now realize has some explicit support for that). I suppose it would make sense to have a documentation that's a little more explicit about that, esp. since the only example is an uncompressed dpkg status file, which is likely to lead other developers on the wrong track? By which I mean: - explicitly mentioning uncompressing is done transparently given a suitably-named input filename; - maybe switching the example to some Packages.xz file; - and explicitly warning against passing any file-like object… On the topic of wading through documentation, it would be nice if something could be done for the online version at: https://apt-team.pages.debian.net/python-apt/library/apt_pkg.html The CSS doesn't really help (screenshot attached). > But I think this is a different issue than the segfault because we > probably still should not be segfaulting on fuzzing with random > data like you do, we probably ought to error out at some point. Fair enough. Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
Attachment:
apt_pkg-vs-css-indexed.png
Description: PNG image
Attachment:
signature.asc
Description: PGP signature