Skip to content

docs: changelog for 0.10.1 #178

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dfa1 merged 1 commit into from
Jun 26, 2026
+12 −1
Merged

docs: changelog for 0.10.1 #178

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

## [0.10.1] — 2026-06-27

Security hardening of the untrusted-input parse paths: every malformed-file path now surfaces as a `VortexException` instead of an unchecked `Error`, a raw JDK exception, or a resource leak (ADR 0003). Plus a `vortex.zstd` binding bump.

### Security

- `DType`-tree and array-node decoding are now depth-capped (64, matching the layout-tree guard): a crafted or self-referential FlatBuffer surfaces as a `VortexException` instead of a `StackOverflowError` — which, being an `Error`, previously escaped sanitization and leaked the reader's memory-mapped `Arena`. ([93f8d5f4](https://github.com/dfa1/vortex-java/commit/93f8d5f4), [428026d3](https://github.com/dfa1/vortex-java/commit/428026d3))
- The HTTP reader validates footer `segmentSpecs` against the file size before any `Range` request is built from them, matching the local-file path. ([1d8ddebc](https://github.com/dfa1/vortex-java/commit/1d8ddebc))
- `vortex.zstd` decode bounds-checks each frame's declared uncompressed size and overflow-checks the total before allocating, and range-checks VarBin length prefixes — a crafted payload can no longer under-allocate or read out of bounds. ([2df4e3a7](https://github.com/dfa1/vortex-java/commit/2df4e3a7), [adc445e8](https://github.com/dfa1/vortex-java/commit/adc445e8))
- The HTTP reader parses the server-controlled `Content-Range` header and slices the tail buffer defensively, so a malformed response yields a `VortexException` rather than a raw `NumberFormatException`/`IndexOutOfBoundsException`. ([feac99b7](https://github.com/dfa1/vortex-java/commit/feac99b7))

### Changed

- Bumped `io.github.dfa1.zstd` (the `vortex.zstd` FFM bindings, pinned by the BOM) 0.3 → 0.4. ([5bf14475](https://github.com/dfa1/vortex-java/commit/5bf14475))
- Bumped `io.github.dfa1.zstd` (the `vortex.zstd` FFM bindings, pinned by the BOM) 0.3 → 0.4. ([677c2cf7](https://github.com/dfa1/vortex-java/commit/677c2cf7))

## [0.10.0] — 2026-06-26

Expand Down
Loading