From 0c3811e9c49fd71537ff494e6416e5583e13846e Mon Sep 17 00:00:00 2001 From: shixuantong Date: Sat, 26 Jul 2025 09:17:49 +0800 Subject: [PATCH] sync some bugfix patches (cherry picked from commit 3f8a91165e6fa1f85dfcd3d0687cf1568b2a2050) --- ...by-zero-in-ev_token_bucket_get_tick_.patch | 78 ++++++++++++ ...nteger-overflow-in-HTTP-version-1541.patch | 45 +++++++ ...-overflow-in-ev_token_bucket_cfg_new.patch | 115 ++++++++++++++++++ ...ll-pointer-dereference-in-buffereven.patch | 26 ++++ ...ll-pointer-dereference-in-dns-exampl.patch | 35 ++++++ ...ll-pointer-dereference-in-event-read.patch | 27 ++++ ...-unlikely-for-libevent-UB-in-HT_GROW.patch | 40 ++++++ ...-integer-overflow-detected-by-fsanit.patch | 26 ++++ ...eck-for-null-after-strdup-in-evutil_.patch | 28 +++++ libevent.spec | 22 +++- 10 files changed, 441 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-divide-by-zero-in-ev_token_bucket_get_tick_.patch create mode 100644 backport-Fix-integer-overflow-in-HTTP-version-1541.patch create mode 100644 backport-Fix-integer-overflow-in-ev_token_bucket_cfg_new.patch create mode 100644 backport-Fix-potential-Null-pointer-dereference-in-buffereven.patch create mode 100644 backport-Fix-potential-Null-pointer-dereference-in-dns-exampl.patch create mode 100644 backport-Fix-potential-Null-pointer-dereference-in-event-read.patch create mode 100644 backport-Fix-unlikely-for-libevent-UB-in-HT_GROW.patch create mode 100644 backport-fix-arc4_getword-integer-overflow-detected-by-fsanit.patch create mode 100644 backport-fixed-missing-check-for-null-after-strdup-in-evutil_.patch diff --git a/backport-Fix-divide-by-zero-in-ev_token_bucket_get_tick_.patch b/backport-Fix-divide-by-zero-in-ev_token_bucket_get_tick_.patch new file mode 100644 index 0000000..162bd7a --- /dev/null +++ b/backport-Fix-divide-by-zero-in-ev_token_bucket_get_tick_.patch @@ -0,0 +1,78 @@ +From c4fb0f7603ed5fa8382eef5609f50426eba475b8 Mon Sep 17 00:00:00 2001 +From: Azat Khuzhin +Date: Tue, 20 Feb 2024 08:58:04 +0100 +Subject: [PATCH] Fix divide-by-zero in ev_token_bucket_get_tick_ + +Found by oss-fuzz, after coverage had been improved in https://github.com/google/oss-fuzz/pull/11257 +--- + bufferevent_ratelim.c | 11 +++++++++-- + test/regress_bufferevent.c | 13 +++++++++++++ + 2 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/bufferevent_ratelim.c b/bufferevent_ratelim.c +index 2587496..517ba3c 100644 +--- a/bufferevent_ratelim.c ++++ b/bufferevent_ratelim.c +@@ -146,11 +146,19 @@ ev_token_bucket_cfg_new(size_t read_rate, size_t read_burst, + { + struct ev_token_bucket_cfg *r; + struct timeval g; ++ unsigned msec_per_tick; ++ + if (! tick_len) { + g.tv_sec = 1; + g.tv_usec = 0; + tick_len = &g; + } ++ ++ msec_per_tick = (tick_len->tv_sec * 1000) + ++ (tick_len->tv_usec & COMMON_TIMEOUT_MICROSECONDS_MASK)/1000; ++ if (!msec_per_tick) ++ return NULL; ++ + if (read_rate > read_burst || write_rate > write_burst || + read_rate < 1 || write_rate < 1) + return NULL; +@@ -167,8 +175,7 @@ ev_token_bucket_cfg_new(size_t read_rate, size_t read_burst, + r->read_maximum = read_burst; + r->write_maximum = write_burst; + memcpy(&r->tick_timeout, tick_len, sizeof(struct timeval)); +- r->msec_per_tick = (tick_len->tv_sec * 1000) + +- (tick_len->tv_usec & COMMON_TIMEOUT_MICROSECONDS_MASK)/1000; ++ r->msec_per_tick = msec_per_tick; + return r; + } + +diff --git a/test/regress_bufferevent.c b/test/regress_bufferevent.c +index c276a0e..cb3e460 100644 +--- a/test/regress_bufferevent.c ++++ b/test/regress_bufferevent.c +@@ -216,6 +216,17 @@ static void test_bufferevent_pair_flush_normal(void) { test_bufferevent_impl(1, + static void test_bufferevent_pair_flush_flush(void) { test_bufferevent_impl(1, BEV_FLUSH); } + static void test_bufferevent_pair_flush_finished(void) { test_bufferevent_impl(1, BEV_FINISHED); } + ++static void test_bufferevent_ratelimit_fuzz(void) ++{ ++ struct timeval cfg_tick = {0, 0}; ++ struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); ++ tt_ptr_op(cfg, ==, NULL); ++ test_ok = 1; ++ ++end: ++ ; ++} ++ + #if defined(EVTHREAD_USE_PTHREADS_IMPLEMENTED) && !defined(__SANITIZE_ADDRESS__) + /** + * Trace lock/unlock/alloc/free for locks. +@@ -1463,5 +1474,7 @@ struct testcase_t bufferevent_iocp_testcases[] = { + { "bufferevent_connect_fail_eventcb", + test_bufferevent_connect_fail_eventcb, TT_IOCP, &basic_setup, NULL }, + ++ LEGACY(bufferevent_ratelimit_fuzz, TT_ISOLATED), ++ + END_OF_TESTCASES, + }; +-- +2.27.0 + diff --git a/backport-Fix-integer-overflow-in-HTTP-version-1541.patch b/backport-Fix-integer-overflow-in-HTTP-version-1541.patch new file mode 100644 index 0000000..7ec4929 --- /dev/null +++ b/backport-Fix-integer-overflow-in-HTTP-version-1541.patch @@ -0,0 +1,45 @@ +From 665d79f17677a8f670733656d0f574c9ab7fabb5 Mon Sep 17 00:00:00 2001 +From: Ben Kallus <49924171+kenballus@users.noreply.github.com> +Date: Thu, 18 Jan 2024 16:42:52 -0500 +Subject: [PATCH] Fix integer overflow in HTTP version (#1541) + +Currently, when libevent parses requests with version `HTTP/4294967295.255`, you end up with `req->major == req->minor == (char)-1`. (At least on linux-gnu-x86_64, where `char` is signed.) + +This is sort of weird. + +This patch changes the version parser to match the grammar in RFCs 7230 and 9112. (i.e. `HTTP/[0-9].[0-9]`) + +EDIT: Technically, a little stronger than the RFC requires, since this patch continues to block major versions greater than 1, which was already what libevent was doing. +--- + http.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/http.c b/http.c +index 420049a..49b65c5 100644 +--- a/http.c ++++ b/http.c +@@ -1630,16 +1630,16 @@ evhttp_valid_response_code(int code) + static int + evhttp_parse_http_version(const char *version, struct evhttp_request *req) + { +- int major, minor; ++ char major, minor; + char ch; +- int n = sscanf(version, "HTTP/%d.%d%c", &major, &minor, &ch); +- if (n != 2 || major > 1) { ++ int n = sscanf(version, "HTTP/%c.%c%c", &major, &minor, &ch); ++ if (n != 2 || major > '1' || major < '0' || minor > '9' || minor < '0') { + event_debug(("%s: bad version %s on message %p from %s", + __func__, version, req, req->remote_host)); + return (-1); + } +- req->major = major; +- req->minor = minor; ++ req->major = major - '0'; ++ req->minor = minor - '0'; + return (0); + } + +-- +2.27.0 + diff --git a/backport-Fix-integer-overflow-in-ev_token_bucket_cfg_new.patch b/backport-Fix-integer-overflow-in-ev_token_bucket_cfg_new.patch new file mode 100644 index 0000000..0c85ec8 --- /dev/null +++ b/backport-Fix-integer-overflow-in-ev_token_bucket_cfg_new.patch @@ -0,0 +1,115 @@ +From e4b873270138b5c10d4903980d765d0f6fe0b58c Mon Sep 17 00:00:00 2001 +From: Azat Khuzhin +Date: Tue, 20 Feb 2024 08:58:04 +0100 +Subject: [PATCH] Fix integer-overflow in ev_token_bucket_cfg_new + +Found by oss-fuzz, after coverage had been improved in https://github.com/google/oss-fuzz/pull/11257 + +v2: better check (found by CI for windows) +--- + bufferevent_ratelim.c | 12 +++++++++- + test/regress_bufferevent.c | 45 ++++++++++++++++++++++++++++++++++++-- + 2 files changed, 54 insertions(+), 3 deletions(-) + +diff --git a/bufferevent_ratelim.c b/bufferevent_ratelim.c +index 517ba3c..60ce894 100644 +--- a/bufferevent_ratelim.c ++++ b/bufferevent_ratelim.c +@@ -154,7 +154,17 @@ ev_token_bucket_cfg_new(size_t read_rate, size_t read_burst, + tick_len = &g; + } + +- msec_per_tick = (tick_len->tv_sec * 1000) + ++ /* Avoid possible overflow. ++ * - there is no point in accepting values larger then INT_MAX/1000 anyway ++ * - on windows tv_sec (tv_usec) is long, which is int, which has upper value limit INT_MAX ++ * - and also negative values does not make any sense ++ */ ++ if (tick_len->tv_sec < 0 || tick_len->tv_sec > INT_MAX/1000) ++ return NULL; ++ ++ /* Note, overflow with tv_usec is not possible since tv_sec is limited to ++ * INT_MAX/1000 anyway */ ++ msec_per_tick = (unsigned)(tick_len->tv_sec * 1000) + + (tick_len->tv_usec & COMMON_TIMEOUT_MICROSECONDS_MASK)/1000; + if (!msec_per_tick) + return NULL; +diff --git a/test/regress_bufferevent.c b/test/regress_bufferevent.c +index cb3e460..3af7415 100644 +--- a/test/regress_bufferevent.c ++++ b/test/regress_bufferevent.c +@@ -70,6 +70,7 @@ + #include + #include + #include ++#include + + #ifdef EVENT__HAVE_ARPA_INET_H + #include +@@ -216,13 +217,52 @@ static void test_bufferevent_pair_flush_normal(void) { test_bufferevent_impl(1, + static void test_bufferevent_pair_flush_flush(void) { test_bufferevent_impl(1, BEV_FLUSH); } + static void test_bufferevent_pair_flush_finished(void) { test_bufferevent_impl(1, BEV_FINISHED); } + +-static void test_bufferevent_ratelimit_fuzz(void) ++static void test_bufferevent_ratelimit_div_by_zero(void) + { + struct timeval cfg_tick = {0, 0}; + struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); + tt_ptr_op(cfg, ==, NULL); + test_ok = 1; + ++end: ++ ; ++} ++static void test_bufferevent_ratelimit_overflow(void) ++{ ++ { ++ struct timeval cfg_tick = {LONG_MAX, 0}; ++ struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); ++ tt_ptr_op(cfg, ==, NULL); ++ } ++ { ++ struct timeval cfg_tick = {UINT_MAX-1, 0}; ++ struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); ++ tt_ptr_op(cfg, ==, NULL); ++ } ++ { ++ struct timeval cfg_tick = {INT_MAX, 0}; ++ struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); ++ tt_ptr_op(cfg, ==, NULL); ++ } ++ { ++ struct timeval cfg_tick = {INT_MAX/1000+1, 0}; ++ struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); ++ tt_ptr_op(cfg, ==, NULL); ++ } ++ { ++ struct timeval cfg_tick = {INT_MAX/1000, 0}; ++ struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); ++ tt_ptr_op(cfg, !=, NULL); ++ ev_token_bucket_cfg_free(cfg); ++ } ++ { ++ struct timeval cfg_tick = {INT_MAX/1000-1, 0}; ++ struct ev_token_bucket_cfg *cfg = ev_token_bucket_cfg_new(1, 1, 1, 1, &cfg_tick); ++ tt_ptr_op(cfg, !=, NULL); ++ ev_token_bucket_cfg_free(cfg); ++ } ++ test_ok = 1; ++ + end: + ; + } +@@ -1474,7 +1514,8 @@ struct testcase_t bufferevent_iocp_testcases[] = { + { "bufferevent_connect_fail_eventcb", + test_bufferevent_connect_fail_eventcb, TT_IOCP, &basic_setup, NULL }, + +- LEGACY(bufferevent_ratelimit_fuzz, TT_ISOLATED), ++ LEGACY(bufferevent_ratelimit_div_by_zero, TT_ISOLATED), ++ LEGACY(bufferevent_ratelimit_overflow, TT_ISOLATED), + + END_OF_TESTCASES, + }; +-- +2.27.0 + diff --git a/backport-Fix-potential-Null-pointer-dereference-in-buffereven.patch b/backport-Fix-potential-Null-pointer-dereference-in-buffereven.patch new file mode 100644 index 0000000..e240c70 --- /dev/null +++ b/backport-Fix-potential-Null-pointer-dereference-in-buffereven.patch @@ -0,0 +1,26 @@ +From af31823fb2bd03ffc90167304d677ec492bc9757 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?C=C5=93ur?= +Date: Sun, 5 May 2024 16:43:23 +0800 +Subject: [PATCH] Fix potential Null pointer dereference in + bufferevent_openssl.c + +--- + bufferevent_openssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bufferevent_openssl.c b/bufferevent_openssl.c +index b6548116..60cdc86f 100644 +--- a/bufferevent_openssl.c ++++ b/bufferevent_openssl.c +@@ -143,7 +143,7 @@ bio_bufferevent_write(BIO *b, const char *in, int inlen) + + BIO_clear_retry_flags(b); + +- if (!BIO_get_data(b)) ++ if (!bufev) + return -1; + + output = bufferevent_get_output(bufev); +-- +2.27.0 + diff --git a/backport-Fix-potential-Null-pointer-dereference-in-dns-exampl.patch b/backport-Fix-potential-Null-pointer-dereference-in-dns-exampl.patch new file mode 100644 index 0000000..7b5f75e --- /dev/null +++ b/backport-Fix-potential-Null-pointer-dereference-in-dns-exampl.patch @@ -0,0 +1,35 @@ +From 64decd48e20f6d20d6f510aa75ab05861fd3d51c Mon Sep 17 00:00:00 2001 +From: icy17 <39425646+icy17@users.noreply.github.com> +Date: Mon, 29 Apr 2024 13:51:22 +0800 +Subject: [PATCH] Fix potential Null pointer dereference in dns-example.c + (#1601) + +--- + sample/dns-example.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/sample/dns-example.c b/sample/dns-example.c +index 87221fdc..7d874ac1 100644 +--- a/sample/dns-example.c ++++ b/sample/dns-example.c +@@ -196,7 +196,17 @@ main(int c, char **v) { + #endif + + event_base = event_base_new(); ++ if (event_base == NULL) { ++ fprintf(stderr, "Couldn't create new event_base\n"); ++ return 1; ++ } + evdns_base = evdns_base_new(event_base, EVDNS_BASE_DISABLE_WHEN_INACTIVE); ++ if (evdns_base == NULL) { ++ event_base_free(event_base); ++ fprintf(stderr, "Couldn't create new evdns_base\n"); ++ return 1; ++ } ++ + evdns_set_log_fn(logfn); + + if (o.servertest) { +-- +2.27.0 + diff --git a/backport-Fix-potential-Null-pointer-dereference-in-event-read.patch b/backport-Fix-potential-Null-pointer-dereference-in-event-read.patch new file mode 100644 index 0000000..300b586 --- /dev/null +++ b/backport-Fix-potential-Null-pointer-dereference-in-event-read.patch @@ -0,0 +1,27 @@ +From 09738283d9cfc62f7a1de44f1d10c4e20ee50d43 Mon Sep 17 00:00:00 2001 +From: icy17 <1061499390@qq.com> +Date: Wed, 10 Apr 2024 18:21:47 +0800 +Subject: [PATCH] Fix potential Null pointer dereference in event-read-fifo.c + +--- + sample/event-read-fifo.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/sample/event-read-fifo.c b/sample/event-read-fifo.c +index a17b9bd9..fe725f33 100644 +--- a/sample/event-read-fifo.c ++++ b/sample/event-read-fifo.c +@@ -139,6 +139,10 @@ main(int argc, char **argv) + #else + /* catch SIGINT so that event.fifo can be cleaned up */ + signal_int = evsignal_new(base, SIGINT, signal_cb, base); ++ if (signal_int == NULL) { ++ perror("evsignal_new"); ++ exit(1); ++ } + event_add(signal_int, NULL); + + evfifo = event_new(base, socket, EV_READ|EV_PERSIST, fifo_read, +-- +2.27.0 + diff --git a/backport-Fix-unlikely-for-libevent-UB-in-HT_GROW.patch b/backport-Fix-unlikely-for-libevent-UB-in-HT_GROW.patch new file mode 100644 index 0000000..9c4c694 --- /dev/null +++ b/backport-Fix-unlikely-for-libevent-UB-in-HT_GROW.patch @@ -0,0 +1,40 @@ +From 78eb305975ed68d8bc159e46e6164afff1a74747 Mon Sep 17 00:00:00 2001 +From: Azat Khuzhin +Date: Sat, 2 Nov 2024 21:41:32 +0100 +Subject: [PATCH] Fix unlikely (for libevent) UB in HT_GROW() + +The reason it is not possible for libevent is that: +a) it is unlikely to have 1610612741 elements +b) growing is done incrementally (i.e. only internally by HT_INSERT) and + in this case the UB is not possible + +Fixes: https://github.com/libevent/libevent/issues/1312 +--- + ht-internal.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ht-internal.h b/ht-internal.h +index 50375bba..de7cd0ea 100644 +--- a/ht-internal.h ++++ b/ht-internal.h +@@ -309,7 +309,7 @@ ht_string_hash_(const char *s) + 805306457, 1610612741 \ + }; \ + static unsigned name##_N_PRIMES = \ +- (unsigned)(sizeof(name##_PRIMES)/sizeof(name##_PRIMES[0])); \ ++ (unsigned)(sizeof(name##_PRIMES)/sizeof(name##_PRIMES[0])) - 1; \ + /* Expand the internal table of 'head' until it is large enough to \ + * hold 'size' elements. Return 0 on success, -1 on allocation \ + * failure. */ \ +@@ -319,7 +319,7 @@ ht_string_hash_(const char *s) + unsigned new_len, new_load_limit; \ + int prime_idx; \ + struct type **new_table; \ +- if (head->hth_prime_idx == (int)name##_N_PRIMES - 1) \ ++ if (head->hth_prime_idx == (int)name##_N_PRIMES) \ + return 0; \ + if (head->hth_load_limit > size) \ + return 0; \ +-- +2.27.0 + diff --git a/backport-fix-arc4_getword-integer-overflow-detected-by-fsanit.patch b/backport-fix-arc4_getword-integer-overflow-detected-by-fsanit.patch new file mode 100644 index 0000000..492fa3e --- /dev/null +++ b/backport-fix-arc4_getword-integer-overflow-detected-by-fsanit.patch @@ -0,0 +1,26 @@ +From b5b4c7fed589aef04f6b5add5f0f0d9c2f1fd2f5 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?jackerli=28=E6=9D=8E=E5=89=91=29?= +Date: Wed, 28 Sep 2022 16:41:59 +0800 +Subject: [PATCH] fix: arc4_getword integer overflow, detected by + -fsanitize=undefined + +--- + arc4random.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arc4random.c b/arc4random.c +index b5f66b4c..c9533b17 100644 +--- a/arc4random.c ++++ b/arc4random.c +@@ -418,7 +418,7 @@ arc4_getword(void) + { + unsigned int val; + +- val = arc4_getbyte() << 24; ++ val = (unsigned)arc4_getbyte() << 24; + val |= arc4_getbyte() << 16; + val |= arc4_getbyte() << 8; + val |= arc4_getbyte(); +-- +2.27.0 + diff --git a/backport-fixed-missing-check-for-null-after-strdup-in-evutil_.patch b/backport-fixed-missing-check-for-null-after-strdup-in-evutil_.patch new file mode 100644 index 0000000..52ec37e --- /dev/null +++ b/backport-fixed-missing-check-for-null-after-strdup-in-evutil_.patch @@ -0,0 +1,28 @@ +From ff99f67a1ab7b7e9a0c82dd987317bb1df38bdb7 Mon Sep 17 00:00:00 2001 +From: Michael Madsen +Date: Fri, 4 Nov 2022 01:59:17 -0700 +Subject: [PATCH] fixed missing check for null after strdup in + evutil_inet_pton_scope (#1366) + +--- + evutil.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/evutil.c b/evutil.c +index 9817f08..1c736d6 100644 +--- a/evutil.c ++++ b/evutil.c +@@ -2015,7 +2015,9 @@ evutil_inet_pton_scope(int af, const char *src, void *dst, unsigned *indexp) + return 0; + } + *indexp = if_index; +- tmp_src = mm_strdup(src); ++ if (!(tmp_src = mm_strdup(src))) { ++ return -1; ++ } + cp = strchr(tmp_src, '%'); + *cp = '\0'; + r = evutil_inet_pton(af, tmp_src, dst); +-- +2.27.0 + diff --git a/libevent.spec b/libevent.spec index 9d38b7d..2bc6540 100644 --- a/libevent.spec +++ b/libevent.spec @@ -1,6 +1,6 @@ Name: libevent Version: 2.1.12 -Release: 14 +Release: 15 Summary: An event notification library License: BSD @@ -28,6 +28,15 @@ Patch6006: backport-Makefile-missing-test-dir.patch Patch6007: backport-Fix-leak-in-evbuffer_add_file-on-empty-files.patch Patch6008: backport-Fix-potential-null-dereference-in-http-server.patch Patch6009: backport-evthread-fix-NULL-dereference-in.patch +Patch6010: backport-fix-arc4_getword-integer-overflow-detected-by-fsanit.patch +Patch6011: backport-fixed-missing-check-for-null-after-strdup-in-evutil_.patch +Patch6012: backport-Fix-integer-overflow-in-HTTP-version-1541.patch +Patch6013: backport-Fix-divide-by-zero-in-ev_token_bucket_get_tick_.patch +Patch6014: backport-Fix-integer-overflow-in-ev_token_bucket_cfg_new.patch +Patch6015: backport-Fix-potential-Null-pointer-dereference-in-dns-exampl.patch +Patch6016: backport-Fix-potential-Null-pointer-dereference-in-buffereven.patch +Patch6017: backport-Fix-potential-Null-pointer-dereference-in-event-read.patch +Patch6018: backport-Fix-unlikely-for-libevent-UB-in-HT_GROW.patch Patch0004: 0004-fix-function-undeclared.patch @@ -91,6 +100,17 @@ rm -f %{buildroot}%{_libdir}/*.la %changelog +* Sat Jul 26 2025 shixuantong - 2.1.12-15 +- fix: arc4_getword integer overflow, detected by -fsanitize=undefined +- Fix divide-by-zero in ev_token_bucket_get_tick_ +- fixed missing check for null after strdup in evutil_inet_pton_scope +- Fix integer-overflow in ev_token_bucket_cfg_new +- Fix integer overflow in HTTP version +- Fix potential Null pointer dereference in bufferevent_openssl.c +- Fix potential Null pointer dereference in dns-example.c +- Fix potential Null pointer dereference in event-read-fifo.c +- Fix unlikely (for libevent) UB in HT_GROW() + * Wed Jul 16 2025 andy - 2.1.12-14 - Fix leak in evbuffer_add_file() on empty files - evthread: fix NULL dereference in evthread_setup_global_lock_() -- Gitee