From 53fdaabf4379d7d192f967504ccb88cc0bfa8e33 Mon Sep 17 00:00:00 2001 From: Aleksandr Dovydenkov Date: Mon, 15 Jun 2026 13:34:12 +0300 Subject: [PATCH 1/3] Fix signed type extension_offset check in key_from_id() Change type of `extension_offset` from `size_t` to `ssize_t` to properly handle `-1` initial value. This ensures `extension_offset >= 0` accurately reflects whether a file extension was found, avoiding buffer overflow risk. --- src/mono/mono/metadata/bundled-resources.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mono/mono/metadata/bundled-resources.c b/src/mono/mono/metadata/bundled-resources.c index bdc32e795fb035..bf8d96d8c65d19 100644 --- a/src/mono/mono/metadata/bundled-resources.c +++ b/src/mono/mono/metadata/bundled-resources.c @@ -79,7 +79,7 @@ static char * key_from_id (const char *id, char *buffer, guint buffer_len) { size_t id_length = 0; - size_t extension_offset = -1; + ssize_t extension_offset = -1; const char *extension = NULL; if (id){ From 61ed94fd31c7f9a865cfea251433b6028833b28e Mon Sep 17 00:00:00 2001 From: Aleksandr Dovydenkov Date: Mon, 15 Jun 2026 14:04:07 +0300 Subject: [PATCH 2/3] Replace null check with assert in `key_from_id()` `g_strlcpy` requires not null string source string, so `id == NULL` causes UB. Enforce `id != NULL` via assert and document the requirement to a comment. Remove redundant check and make contract explicit. --- src/mono/mono/metadata/bundled-resources.c | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/mono/mono/metadata/bundled-resources.c b/src/mono/mono/metadata/bundled-resources.c index bf8d96d8c65d19..267a1af0d3d838 100644 --- a/src/mono/mono/metadata/bundled-resources.c +++ b/src/mono/mono/metadata/bundled-resources.c @@ -75,6 +75,16 @@ bundled_resources_is_known_assembly_extension (const char *ext) // If a bundled resource has a known assembly extension, we strip the extension from its name // This ensures that lookups for foo.dll will work even if the assembly is in a webcil container +// +// Arguments: +// * id - Name of the resource, not NULL, null-terminated byte string. +// * buffer - Data to be written at given target address. +// * buffer_len - Length of buffer. +// +// Returns: +// static char * - Pointer to the stripped name of the resource. +// + static char * key_from_id (const char *id, char *buffer, guint buffer_len) { @@ -82,12 +92,12 @@ key_from_id (const char *id, char *buffer, guint buffer_len) ssize_t extension_offset = -1; const char *extension = NULL; - if (id){ - id_length = strlen (id); - extension = g_memrchr (id, '.', id_length); - if (extension) - extension_offset = extension - id; - } + g_assert (id); + id_length = strlen (id); + extension = g_memrchr (id, '.', id_length); + if (extension) + extension_offset = extension - id; + if (!buffer) { // Add space for .dll and null terminator buffer_len = (guint)(id_length + 6); From 0f0f8cb4f3adfa8cb6de5a10b0ba2c1da83cfe53 Mon Sep 17 00:00:00 2001 From: Aleksandr Dovydenkov Date: Mon, 15 Jun 2026 14:28:07 +0300 Subject: [PATCH 3/3] Ensure resource id is not null in bundled_resources_get `key_from_id` requires a non-null name of the resource (`id`). Return NULL from function if `id == NULL` to avoid calling `key_from_id` with invalid input and prevent UB. --- src/mono/mono/metadata/bundled-resources.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/mono/mono/metadata/bundled-resources.c b/src/mono/mono/metadata/bundled-resources.c index 267a1af0d3d838..7f980963cd6240 100644 --- a/src/mono/mono/metadata/bundled-resources.c +++ b/src/mono/mono/metadata/bundled-resources.c @@ -208,7 +208,7 @@ mono_bundled_resources_add (MonoBundledResource **resources_to_bundle, uint32_t static MonoBundledResource * bundled_resources_get (const char *id) { - if (!bundled_resources) + if (!bundled_resources || !id) return NULL; char key_buffer[1024];