Fix component search fast path#16548
Merged
Merged
Conversation
normanmaurer
requested changes
Mar 25, 2026
chrisvest
approved these changes
Mar 25, 2026
Member
|
Putting this one on hold for #16550 — after 4.2.12 we can bring back the optimization and merge this fix. |
Motivation: In certain scenarios, the findComponentForRead fast path would pick the wrong component for a reader index, leading to out-of-bounds reads for those components. Modification: Correct comparison. Result: No incorrect read.
8de55d8 to
e1fcbbc
Compare
Member
|
I rebased this PR with a reapply of the opt change underneath. |
Contributor
|
Could not create auto-port PR. |
chrisvest
pushed a commit
to chrisvest/netty
that referenced
this pull request
Apr 4, 2026
Motivation: In certain scenarios, the findComponentForRead fast path would pick the wrong component for a reader index, leading to out-of-bounds reads for those components. Modification: Correct comparison. Result: No incorrect read. --------- Co-authored-by: Chris Vest <christianvest_hansen@apple.com> Co-authored-by: Norman Maurer <norman_maurer@apple.com> (cherry picked from commit 59aec4b)
Member
|
5.0 port: #16602 |
chrisvest
added a commit
that referenced
this pull request
Apr 9, 2026
Motivation: In certain scenarios, the findComponentForRead fast path would pick the wrong component for a reader index, leading to out-of-bounds reads for those components. Modification: Correct comparison. Result: No incorrect read. --------- Co-authored-by: Chris Vest <christianvest_hansen@apple.com> Co-authored-by: Norman Maurer <norman_maurer@apple.com> (cherry picked from commit 59aec4b) Co-authored-by: Jonas Konrad <jonas.konrad@oracle.com>
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
May 10, 2026
…l [skip ci] Bumps [io.netty:netty-all](https://github.com/netty/netty) from 4.2.12.Final to 4.2.13.Final. Release notes *Sourced from [io.netty:netty-all's releases](https://github.com/netty/netty/releases).* > netty-4.2.13.Final > ------------------ > > CVEs Fixed > ---------- > > * [CVE-2026-42586](GHSA-rgrr-p7gp-5xj7) (netty-codec-redis) > * [CVE-2026-42578](GHSA-45q3-82m4-75jr) (netty-handler-proxy) > * [CVE-2026-42577](GHSA-rwm7-x88c-3g2p) (netty-transport-native-epoll) > * [CVE-2026-42587](GHSA-f6hv-jmp6-3vwv) (netty-codec-http, netty-codec-http2) > * [CVE-2026-41417](GHSA-v8h7-rr48-vmmv) (netty-codec-http) > * [CVE-2026-42581](GHSA-xxqh-mfjm-7mv9) (netty-codec-http) > * [CVE-2026-42580](GHSA-m4cv-j2px-7723) (netty-codec-http) > * [CVE-2026-42585](GHSA-38f8-5428-x5cv) (netty-codec-http) > * [CVE-2026-42579](GHSA-cm33-6792-r9fm) (netty-codec-dns) > * [CVE-2026-42582](GHSA-2c5c-chwr-9hqw) (netty-codec-http3) > * [CVE-2026-42583](GHSA-mj4r-2hfc-f8p6) (netty-codec, netty-codec-compression) > * [CVE-2026-42584](GHSA-57rv-r2g8-2cj3) (netty-codec-http) > * [CVE-2026-44248](GHSA-jfg9-48mv-9qgx) (netty-codec-mqtt) > > What's Changed > -------------- > > * Kqueue: sendfile EINTR doesn't advance offset — data duplication by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16544](https://redirect.github.com/netty/netty/pull/16544) > * Replace usage of strerror with thread-safe alternative by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16547](https://redirect.github.com/netty/netty/pull/16547) > * Fix implementation of strerror\_r\_xsi for GNU by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16546](https://redirect.github.com/netty/netty/pull/16546) > * Lazy init ArrayList in DefaultHeaders.getAll by [`@doom369`](https://github.com/doom369) in [netty/netty#16526](https://redirect.github.com/netty/netty/pull/16526) > * Less logging in AWS-LC build by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16565](https://redirect.github.com/netty/netty/pull/16565) > * Ensure the CRYPTO\_BUFFER\_POOL is also freed when we fail creating the SSLContext by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16545](https://redirect.github.com/netty/netty/pull/16545) > * Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16543](https://redirect.github.com/netty/netty/pull/16543) > * Avoid leak in PemReader on OutOfDirectMemoryError by [`@raipc`](https://github.com/raipc) in [netty/netty#16551](https://redirect.github.com/netty/netty/pull/16551) > * IoUring: Disable test while we debug to unblock other builds by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16581](https://redirect.github.com/netty/netty/pull/16581) > * Include user properties and subscription IDs in MqttProperties#isEmpty by [`@ShadowySpirits`](https://github.com/ShadowySpirits) in [netty/netty#16575](https://redirect.github.com/netty/netty/pull/16575) > * Native DNS resolver: Guard against malloc failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16559](https://redirect.github.com/netty/netty/pull/16559) > * Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16578](https://redirect.github.com/netty/netty/pull/16578) > * Fix parsing HTTP chunks with multiple extensions by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16579](https://redirect.github.com/netty/netty/pull/16579) > * Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by [`@dependabot`](https://github.com/dependabot)[bot] in [netty/netty#16572](https://redirect.github.com/netty/netty/pull/16572) > * Revert to PR build to Ubuntu 22.04 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16595](https://redirect.github.com/netty/netty/pull/16595) > * Native transports: Correctly create pipe when pipe2 is not supported by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16592](https://redirect.github.com/netty/netty/pull/16592) > * Epoll: Cleanup code to always return negative value on failure by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16591](https://redirect.github.com/netty/netty/pull/16591) > * Fix component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16548](https://redirect.github.com/netty/netty/pull/16548) > * Stabilize read-only toStringMultipleThreads1 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16608](https://redirect.github.com/netty/netty/pull/16608) > * Stabilize more AbstractByteBufTests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16611](https://redirect.github.com/netty/netty/pull/16611) > * Remove note about needing 256-bit for PQC by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16605](https://redirect.github.com/netty/netty/pull/16605) > * Stabilize testSessionInvalidate for Conscrypt by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16615](https://redirect.github.com/netty/netty/pull/16615) > * Quic: Correctly handle SSL\_CTX\_new failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16622](https://redirect.github.com/netty/netty/pull/16622) > * Make LocalIoHandle public by [`@rdicroce`](https://github.com/rdicroce) in [netty/netty#16621](https://redirect.github.com/netty/netty/pull/16621) > * Quic: Fix shadowing of variable which leads to incorrectly handling errors by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16623](https://redirect.github.com/netty/netty/pull/16623) > * Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16629](https://redirect.github.com/netty/netty/pull/16629) > * Fix `shutdownInput` bug in kqueue for empty recv buffer by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16630](https://redirect.github.com/netty/netty/pull/16630) > * fix FFM address semantics in directBufferAddress by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16603](https://redirect.github.com/netty/netty/pull/16603) > * HTTP2: Ensure HTTP2 preface is always send as first message by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16636](https://redirect.github.com/netty/netty/pull/16636) > * Move Http2FrameCodecSubClassTest to correct package by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16640](https://redirect.github.com/netty/netty/pull/16640) > * Kqueue: Fix usage of LOCAL\_PEERPID by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16637](https://redirect.github.com/netty/netty/pull/16637) > * Avoid ArrayQueue allocation in HttpServerCodec by [`@doom369`](https://github.com/doom369) in [netty/netty#16596](https://redirect.github.com/netty/netty/pull/16596) > * Fix file descriptor reuse bug in kqueue by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16650](https://redirect.github.com/netty/netty/pull/16650) ... (truncated) Commits * [`b3844c8`](netty/netty@b3844c8) [maven-release-plugin] prepare release netty-4.2.13.Final * [`82f47fa`](netty/netty@82f47fa) Merge commit from fork * [`ada0999`](netty/netty@ada0999) Merge commit from fork * [`b4051e2`](netty/netty@b4051e2) Fix BrotliDecoder not forwarding all decompressed chunks * [`67207c1`](netty/netty@67207c1) Merge commit from fork * [`541ca7c`](netty/netty@541ca7c) Merge commit from fork * [`943edb3`](netty/netty@943edb3) Fix codec-dns tests * [`6459a28`](netty/netty@6459a28) Merge commit from fork * [`b4ba61b`](netty/netty@b4ba61b) Fix checkstyle in HttpObjectDecoder * [`977661f`](netty/netty@977661f) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.12.Final...netty-4.2.13.Final) [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
mergify Bot
added a commit
to ArcadeData/arcadedb
that referenced
this pull request
May 10, 2026
…ip ci] Bumps `netty.version` from 4.2.12.Final to 4.2.13.Final. Updates `io.netty:netty-transport` from 4.2.12.Final to 4.2.13.Final Release notes *Sourced from [io.netty:netty-transport's releases](https://github.com/netty/netty/releases).* > netty-4.2.13.Final > ------------------ > > CVEs Fixed > ---------- > > * [CVE-2026-42586](GHSA-rgrr-p7gp-5xj7) (netty-codec-redis) > * [CVE-2026-42578](GHSA-45q3-82m4-75jr) (netty-handler-proxy) > * [CVE-2026-42577](GHSA-rwm7-x88c-3g2p) (netty-transport-native-epoll) > * [CVE-2026-42587](GHSA-f6hv-jmp6-3vwv) (netty-codec-http, netty-codec-http2) > * [CVE-2026-41417](GHSA-v8h7-rr48-vmmv) (netty-codec-http) > * [CVE-2026-42581](GHSA-xxqh-mfjm-7mv9) (netty-codec-http) > * [CVE-2026-42580](GHSA-m4cv-j2px-7723) (netty-codec-http) > * [CVE-2026-42585](GHSA-38f8-5428-x5cv) (netty-codec-http) > * [CVE-2026-42579](GHSA-cm33-6792-r9fm) (netty-codec-dns) > * [CVE-2026-42582](GHSA-2c5c-chwr-9hqw) (netty-codec-http3) > * [CVE-2026-42583](GHSA-mj4r-2hfc-f8p6) (netty-codec, netty-codec-compression) > * [CVE-2026-42584](GHSA-57rv-r2g8-2cj3) (netty-codec-http) > * [CVE-2026-44248](GHSA-jfg9-48mv-9qgx) (netty-codec-mqtt) > > What's Changed > -------------- > > * Kqueue: sendfile EINTR doesn't advance offset — data duplication by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16544](https://redirect.github.com/netty/netty/pull/16544) > * Replace usage of strerror with thread-safe alternative by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16547](https://redirect.github.com/netty/netty/pull/16547) > * Fix implementation of strerror\_r\_xsi for GNU by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16546](https://redirect.github.com/netty/netty/pull/16546) > * Lazy init ArrayList in DefaultHeaders.getAll by [`@doom369`](https://github.com/doom369) in [netty/netty#16526](https://redirect.github.com/netty/netty/pull/16526) > * Less logging in AWS-LC build by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16565](https://redirect.github.com/netty/netty/pull/16565) > * Ensure the CRYPTO\_BUFFER\_POOL is also freed when we fail creating the SSLContext by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16545](https://redirect.github.com/netty/netty/pull/16545) > * Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16543](https://redirect.github.com/netty/netty/pull/16543) > * Avoid leak in PemReader on OutOfDirectMemoryError by [`@raipc`](https://github.com/raipc) in [netty/netty#16551](https://redirect.github.com/netty/netty/pull/16551) > * IoUring: Disable test while we debug to unblock other builds by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16581](https://redirect.github.com/netty/netty/pull/16581) > * Include user properties and subscription IDs in MqttProperties#isEmpty by [`@ShadowySpirits`](https://github.com/ShadowySpirits) in [netty/netty#16575](https://redirect.github.com/netty/netty/pull/16575) > * Native DNS resolver: Guard against malloc failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16559](https://redirect.github.com/netty/netty/pull/16559) > * Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16578](https://redirect.github.com/netty/netty/pull/16578) > * Fix parsing HTTP chunks with multiple extensions by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16579](https://redirect.github.com/netty/netty/pull/16579) > * Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by [`@dependabot`](https://github.com/dependabot)[bot] in [netty/netty#16572](https://redirect.github.com/netty/netty/pull/16572) > * Revert to PR build to Ubuntu 22.04 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16595](https://redirect.github.com/netty/netty/pull/16595) > * Native transports: Correctly create pipe when pipe2 is not supported by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16592](https://redirect.github.com/netty/netty/pull/16592) > * Epoll: Cleanup code to always return negative value on failure by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16591](https://redirect.github.com/netty/netty/pull/16591) > * Fix component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16548](https://redirect.github.com/netty/netty/pull/16548) > * Stabilize read-only toStringMultipleThreads1 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16608](https://redirect.github.com/netty/netty/pull/16608) > * Stabilize more AbstractByteBufTests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16611](https://redirect.github.com/netty/netty/pull/16611) > * Remove note about needing 256-bit for PQC by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16605](https://redirect.github.com/netty/netty/pull/16605) > * Stabilize testSessionInvalidate for Conscrypt by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16615](https://redirect.github.com/netty/netty/pull/16615) > * Quic: Correctly handle SSL\_CTX\_new failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16622](https://redirect.github.com/netty/netty/pull/16622) > * Make LocalIoHandle public by [`@rdicroce`](https://github.com/rdicroce) in [netty/netty#16621](https://redirect.github.com/netty/netty/pull/16621) > * Quic: Fix shadowing of variable which leads to incorrectly handling errors by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16623](https://redirect.github.com/netty/netty/pull/16623) > * Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16629](https://redirect.github.com/netty/netty/pull/16629) > * Fix `shutdownInput` bug in kqueue for empty recv buffer by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16630](https://redirect.github.com/netty/netty/pull/16630) > * fix FFM address semantics in directBufferAddress by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16603](https://redirect.github.com/netty/netty/pull/16603) > * HTTP2: Ensure HTTP2 preface is always send as first message by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16636](https://redirect.github.com/netty/netty/pull/16636) > * Move Http2FrameCodecSubClassTest to correct package by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16640](https://redirect.github.com/netty/netty/pull/16640) > * Kqueue: Fix usage of LOCAL\_PEERPID by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16637](https://redirect.github.com/netty/netty/pull/16637) > * Avoid ArrayQueue allocation in HttpServerCodec by [`@doom369`](https://github.com/doom369) in [netty/netty#16596](https://redirect.github.com/netty/netty/pull/16596) > * Fix file descriptor reuse bug in kqueue by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16650](https://redirect.github.com/netty/netty/pull/16650) ... (truncated) Commits * [`b3844c8`](netty/netty@b3844c8) [maven-release-plugin] prepare release netty-4.2.13.Final * [`82f47fa`](netty/netty@82f47fa) Merge commit from fork * [`ada0999`](netty/netty@ada0999) Merge commit from fork * [`b4051e2`](netty/netty@b4051e2) Fix BrotliDecoder not forwarding all decompressed chunks * [`67207c1`](netty/netty@67207c1) Merge commit from fork * [`541ca7c`](netty/netty@541ca7c) Merge commit from fork * [`943edb3`](netty/netty@943edb3) Fix codec-dns tests * [`6459a28`](netty/netty@6459a28) Merge commit from fork * [`b4ba61b`](netty/netty@b4ba61b) Fix checkstyle in HttpObjectDecoder * [`977661f`](netty/netty@977661f) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.12.Final...netty-4.2.13.Final) Updates `io.netty:netty-codec` from 4.2.12.Final to 4.2.13.Final Release notes *Sourced from [io.netty:netty-codec's releases](https://github.com/netty/netty/releases).* > netty-4.2.13.Final > ------------------ > > CVEs Fixed > ---------- > > * [CVE-2026-42586](GHSA-rgrr-p7gp-5xj7) (netty-codec-redis) > * [CVE-2026-42578](GHSA-45q3-82m4-75jr) (netty-handler-proxy) > * [CVE-2026-42577](GHSA-rwm7-x88c-3g2p) (netty-transport-native-epoll) > * [CVE-2026-42587](GHSA-f6hv-jmp6-3vwv) (netty-codec-http, netty-codec-http2) > * [CVE-2026-41417](GHSA-v8h7-rr48-vmmv) (netty-codec-http) > * [CVE-2026-42581](GHSA-xxqh-mfjm-7mv9) (netty-codec-http) > * [CVE-2026-42580](GHSA-m4cv-j2px-7723) (netty-codec-http) > * [CVE-2026-42585](GHSA-38f8-5428-x5cv) (netty-codec-http) > * [CVE-2026-42579](GHSA-cm33-6792-r9fm) (netty-codec-dns) > * [CVE-2026-42582](GHSA-2c5c-chwr-9hqw) (netty-codec-http3) > * [CVE-2026-42583](GHSA-mj4r-2hfc-f8p6) (netty-codec, netty-codec-compression) > * [CVE-2026-42584](GHSA-57rv-r2g8-2cj3) (netty-codec-http) > * [CVE-2026-44248](GHSA-jfg9-48mv-9qgx) (netty-codec-mqtt) > > What's Changed > -------------- > > * Kqueue: sendfile EINTR doesn't advance offset — data duplication by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16544](https://redirect.github.com/netty/netty/pull/16544) > * Replace usage of strerror with thread-safe alternative by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16547](https://redirect.github.com/netty/netty/pull/16547) > * Fix implementation of strerror\_r\_xsi for GNU by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16546](https://redirect.github.com/netty/netty/pull/16546) > * Lazy init ArrayList in DefaultHeaders.getAll by [`@doom369`](https://github.com/doom369) in [netty/netty#16526](https://redirect.github.com/netty/netty/pull/16526) > * Less logging in AWS-LC build by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16565](https://redirect.github.com/netty/netty/pull/16565) > * Ensure the CRYPTO\_BUFFER\_POOL is also freed when we fail creating the SSLContext by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16545](https://redirect.github.com/netty/netty/pull/16545) > * Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16543](https://redirect.github.com/netty/netty/pull/16543) > * Avoid leak in PemReader on OutOfDirectMemoryError by [`@raipc`](https://github.com/raipc) in [netty/netty#16551](https://redirect.github.com/netty/netty/pull/16551) > * IoUring: Disable test while we debug to unblock other builds by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16581](https://redirect.github.com/netty/netty/pull/16581) > * Include user properties and subscription IDs in MqttProperties#isEmpty by [`@ShadowySpirits`](https://github.com/ShadowySpirits) in [netty/netty#16575](https://redirect.github.com/netty/netty/pull/16575) > * Native DNS resolver: Guard against malloc failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16559](https://redirect.github.com/netty/netty/pull/16559) > * Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16578](https://redirect.github.com/netty/netty/pull/16578) > * Fix parsing HTTP chunks with multiple extensions by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16579](https://redirect.github.com/netty/netty/pull/16579) > * Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by [`@dependabot`](https://github.com/dependabot)[bot] in [netty/netty#16572](https://redirect.github.com/netty/netty/pull/16572) > * Revert to PR build to Ubuntu 22.04 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16595](https://redirect.github.com/netty/netty/pull/16595) > * Native transports: Correctly create pipe when pipe2 is not supported by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16592](https://redirect.github.com/netty/netty/pull/16592) > * Epoll: Cleanup code to always return negative value on failure by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16591](https://redirect.github.com/netty/netty/pull/16591) > * Fix component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16548](https://redirect.github.com/netty/netty/pull/16548) > * Stabilize read-only toStringMultipleThreads1 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16608](https://redirect.github.com/netty/netty/pull/16608) > * Stabilize more AbstractByteBufTests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16611](https://redirect.github.com/netty/netty/pull/16611) > * Remove note about needing 256-bit for PQC by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16605](https://redirect.github.com/netty/netty/pull/16605) > * Stabilize testSessionInvalidate for Conscrypt by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16615](https://redirect.github.com/netty/netty/pull/16615) > * Quic: Correctly handle SSL\_CTX\_new failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16622](https://redirect.github.com/netty/netty/pull/16622) > * Make LocalIoHandle public by [`@rdicroce`](https://github.com/rdicroce) in [netty/netty#16621](https://redirect.github.com/netty/netty/pull/16621) > * Quic: Fix shadowing of variable which leads to incorrectly handling errors by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16623](https://redirect.github.com/netty/netty/pull/16623) > * Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16629](https://redirect.github.com/netty/netty/pull/16629) > * Fix `shutdownInput` bug in kqueue for empty recv buffer by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16630](https://redirect.github.com/netty/netty/pull/16630) > * fix FFM address semantics in directBufferAddress by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16603](https://redirect.github.com/netty/netty/pull/16603) > * HTTP2: Ensure HTTP2 preface is always send as first message by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16636](https://redirect.github.com/netty/netty/pull/16636) > * Move Http2FrameCodecSubClassTest to correct package by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16640](https://redirect.github.com/netty/netty/pull/16640) > * Kqueue: Fix usage of LOCAL\_PEERPID by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16637](https://redirect.github.com/netty/netty/pull/16637) > * Avoid ArrayQueue allocation in HttpServerCodec by [`@doom369`](https://github.com/doom369) in [netty/netty#16596](https://redirect.github.com/netty/netty/pull/16596) > * Fix file descriptor reuse bug in kqueue by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16650](https://redirect.github.com/netty/netty/pull/16650) ... (truncated) Commits * [`b3844c8`](netty/netty@b3844c8) [maven-release-plugin] prepare release netty-4.2.13.Final * [`82f47fa`](netty/netty@82f47fa) Merge commit from fork * [`ada0999`](netty/netty@ada0999) Merge commit from fork * [`b4051e2`](netty/netty@b4051e2) Fix BrotliDecoder not forwarding all decompressed chunks * [`67207c1`](netty/netty@67207c1) Merge commit from fork * [`541ca7c`](netty/netty@541ca7c) Merge commit from fork * [`943edb3`](netty/netty@943edb3) Fix codec-dns tests * [`6459a28`](netty/netty@6459a28) Merge commit from fork * [`b4ba61b`](netty/netty@b4ba61b) Fix checkstyle in HttpObjectDecoder * [`977661f`](netty/netty@977661f) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.12.Final...netty-4.2.13.Final) Updates `io.netty:netty-handler` from 4.2.12.Final to 4.2.13.Final Release notes *Sourced from [io.netty:netty-handler's releases](https://github.com/netty/netty/releases).* > netty-4.2.13.Final > ------------------ > > CVEs Fixed > ---------- > > * [CVE-2026-42586](GHSA-rgrr-p7gp-5xj7) (netty-codec-redis) > * [CVE-2026-42578](GHSA-45q3-82m4-75jr) (netty-handler-proxy) > * [CVE-2026-42577](GHSA-rwm7-x88c-3g2p) (netty-transport-native-epoll) > * [CVE-2026-42587](GHSA-f6hv-jmp6-3vwv) (netty-codec-http, netty-codec-http2) > * [CVE-2026-41417](GHSA-v8h7-rr48-vmmv) (netty-codec-http) > * [CVE-2026-42581](GHSA-xxqh-mfjm-7mv9) (netty-codec-http) > * [CVE-2026-42580](GHSA-m4cv-j2px-7723) (netty-codec-http) > * [CVE-2026-42585](GHSA-38f8-5428-x5cv) (netty-codec-http) > * [CVE-2026-42579](GHSA-cm33-6792-r9fm) (netty-codec-dns) > * [CVE-2026-42582](GHSA-2c5c-chwr-9hqw) (netty-codec-http3) > * [CVE-2026-42583](GHSA-mj4r-2hfc-f8p6) (netty-codec, netty-codec-compression) > * [CVE-2026-42584](GHSA-57rv-r2g8-2cj3) (netty-codec-http) > * [CVE-2026-44248](GHSA-jfg9-48mv-9qgx) (netty-codec-mqtt) > > What's Changed > -------------- > > * Kqueue: sendfile EINTR doesn't advance offset — data duplication by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16544](https://redirect.github.com/netty/netty/pull/16544) > * Replace usage of strerror with thread-safe alternative by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16547](https://redirect.github.com/netty/netty/pull/16547) > * Fix implementation of strerror\_r\_xsi for GNU by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16546](https://redirect.github.com/netty/netty/pull/16546) > * Lazy init ArrayList in DefaultHeaders.getAll by [`@doom369`](https://github.com/doom369) in [netty/netty#16526](https://redirect.github.com/netty/netty/pull/16526) > * Less logging in AWS-LC build by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16565](https://redirect.github.com/netty/netty/pull/16565) > * Ensure the CRYPTO\_BUFFER\_POOL is also freed when we fail creating the SSLContext by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16545](https://redirect.github.com/netty/netty/pull/16545) > * Auto-port 4.2: Fix IndexOutOfBoundsException in StompSubframeDecoder on heartbeat by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16543](https://redirect.github.com/netty/netty/pull/16543) > * Avoid leak in PemReader on OutOfDirectMemoryError by [`@raipc`](https://github.com/raipc) in [netty/netty#16551](https://redirect.github.com/netty/netty/pull/16551) > * IoUring: Disable test while we debug to unblock other builds by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16581](https://redirect.github.com/netty/netty/pull/16581) > * Include user properties and subscription IDs in MqttProperties#isEmpty by [`@ShadowySpirits`](https://github.com/ShadowySpirits) in [netty/netty#16575](https://redirect.github.com/netty/netty/pull/16575) > * Native DNS resolver: Guard against malloc failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16559](https://redirect.github.com/netty/netty/pull/16559) > * Auto-port 4.2: Increase timeouts for QuicChannelConnectTest by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16578](https://redirect.github.com/netty/netty/pull/16578) > * Fix parsing HTTP chunks with multiple extensions by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16579](https://redirect.github.com/netty/netty/pull/16579) > * Bump org.codehaus.plexus:plexus-utils from 3.4.2 to 4.0.3 in /codec-native-quic by [`@dependabot`](https://github.com/dependabot)[bot] in [netty/netty#16572](https://redirect.github.com/netty/netty/pull/16572) > * Revert to PR build to Ubuntu 22.04 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16595](https://redirect.github.com/netty/netty/pull/16595) > * Native transports: Correctly create pipe when pipe2 is not supported by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16592](https://redirect.github.com/netty/netty/pull/16592) > * Epoll: Cleanup code to always return negative value on failure by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16591](https://redirect.github.com/netty/netty/pull/16591) > * Fix component search fast path by [`@yawkat`](https://github.com/yawkat) in [netty/netty#16548](https://redirect.github.com/netty/netty/pull/16548) > * Stabilize read-only toStringMultipleThreads1 by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16608](https://redirect.github.com/netty/netty/pull/16608) > * Stabilize more AbstractByteBufTests by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16611](https://redirect.github.com/netty/netty/pull/16611) > * Remove note about needing 256-bit for PQC by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16605](https://redirect.github.com/netty/netty/pull/16605) > * Stabilize testSessionInvalidate for Conscrypt by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16615](https://redirect.github.com/netty/netty/pull/16615) > * Quic: Correctly handle SSL\_CTX\_new failures by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16622](https://redirect.github.com/netty/netty/pull/16622) > * Make LocalIoHandle public by [`@rdicroce`](https://github.com/rdicroce) in [netty/netty#16621](https://redirect.github.com/netty/netty/pull/16621) > * Quic: Fix shadowing of variable which leads to incorrectly handling errors by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16623](https://redirect.github.com/netty/netty/pull/16623) > * Auto-port 4.2: Use stream error for maxContentLength exceeded in InboundHttp2ToHttpAdapter by [`@netty-project-bot`](https://github.com/netty-project-bot) in [netty/netty#16629](https://redirect.github.com/netty/netty/pull/16629) > * Fix `shutdownInput` bug in kqueue for empty recv buffer by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16630](https://redirect.github.com/netty/netty/pull/16630) > * fix FFM address semantics in directBufferAddress by [`@dreamlike-ocean`](https://github.com/dreamlike-ocean) in [netty/netty#16603](https://redirect.github.com/netty/netty/pull/16603) > * HTTP2: Ensure HTTP2 preface is always send as first message by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16636](https://redirect.github.com/netty/netty/pull/16636) > * Move Http2FrameCodecSubClassTest to correct package by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16640](https://redirect.github.com/netty/netty/pull/16640) > * Kqueue: Fix usage of LOCAL\_PEERPID by [`@normanmaurer`](https://github.com/normanmaurer) in [netty/netty#16637](https://redirect.github.com/netty/netty/pull/16637) > * Avoid ArrayQueue allocation in HttpServerCodec by [`@doom369`](https://github.com/doom369) in [netty/netty#16596](https://redirect.github.com/netty/netty/pull/16596) > * Fix file descriptor reuse bug in kqueue by [`@chrisvest`](https://github.com/chrisvest) in [netty/netty#16650](https://redirect.github.com/netty/netty/pull/16650) ... (truncated) Commits * [`b3844c8`](netty/netty@b3844c8) [maven-release-plugin] prepare release netty-4.2.13.Final * [`82f47fa`](netty/netty@82f47fa) Merge commit from fork * [`ada0999`](netty/netty@ada0999) Merge commit from fork * [`b4051e2`](netty/netty@b4051e2) Fix BrotliDecoder not forwarding all decompressed chunks * [`67207c1`](netty/netty@67207c1) Merge commit from fork * [`541ca7c`](netty/netty@541ca7c) Merge commit from fork * [`943edb3`](netty/netty@943edb3) Fix codec-dns tests * [`6459a28`](netty/netty@6459a28) Merge commit from fork * [`b4ba61b`](netty/netty@b4ba61b) Fix checkstyle in HttpObjectDecoder * [`977661f`](netty/netty@977661f) Merge commit from fork * Additional commits viewable in [compare view](netty/netty@netty-4.2.12.Final...netty-4.2.13.Final) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
franz1981
added a commit
to franz1981/netty
that referenced
this pull request
May 12, 2026
This reverts commit 59aec4b.
franz1981
added a commit
to franz1981/netty
that referenced
this pull request
May 12, 2026
This reverts commit 59aec4b.
franz1981
added a commit
to franz1981/netty
that referenced
this pull request
May 13, 2026
This reverts commit 59aec4b.
yawkat
added a commit
that referenced
this pull request
May 13, 2026
Reintroduce the benchmark changes removed by the revert of #16548 so performance coverage remains available while the production fast path stays reverted. Co-Authored-By: multicode <multicode@yawk.at>
yawkat
added a commit
that referenced
this pull request
May 13, 2026
Motivation: The component search fast path reintroduced by #16548 can select the wrong component after read components are discarded and source buffers have non-zero internal offsets. This can corrupt data returned from `CompositeByteBuf.readByte()`, as reported in #16799. Modification: Revert the #16548 fast-path production, test, and benchmark changes using a real git revert commit so the revert itself does not need detailed review. Reintroduce the `testFindComponent()` coverage removed by the revert in a separate test-only commit. Add a new regression test that covers the #16799 scenario with offset source buffers, `discardReadComponents()`, and subsequent reads. Reintroduce the reverted `CompositeByteBufSequentialBenchmark` changes in a separate benchmark-only commit. Result: `CompositeByteBuf` uses the existing component lookup path instead of the broken sequential-read fast path, while keeping and extending the relevant regression and benchmark coverage. Fixes #16799. --------- Co-authored-by: multicode <multicode@yawk.at>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation:
In certain scenarios, the findComponentForRead fast path would pick the wrong component for a reader index, leading to out-of-bounds reads for those components.
Modification:
Correct comparison.
Result:
No incorrect read.