Previously, Arduino Core attempted to read from flash memory without proper consideration for the 4-byte alignment requirement when calculating the hash for the signature verification. This did not present an issue when uncompressed binaries are checked as all compiled binaries are 4-aligned (unconfirmed, just an educated guess), and signature verification appears to work well in these cases.
When uploading a compressed binary (based on this) the gzip algorithm makes no attempt to produce a 4-aligned file. The rest of the signing results in a valid signed binary regardless, however when calculating the hash for the verification process there is a ~75% chance that the hash will include some bytes from the signature, thus compromising the whole signature verification process.
editorial note: ESP.flashRead for u8 arrays (aka byte arrays) was already updated to properly handle both aligned and unaligned target buffer and / or length, while u32 expects that its arguments are already aligned. Since array pointer in Updater is already aligned, this properly handles unaligned size case.
- check in cont_run() and cont_suspend() whether a1 is out of bounds
- in case a1 is broken, postmortem will still report proper context in
proper stack boundaries
additionally
- as suggested in #9069, change stack smashing to a single line that
does not mention any Exceptions
- reduce overall stack dump length when there are know garbage values i.e. cont stackguard
- decoder.py addr search regexp would no longer skip stack lines with '<'
- fix decoder.py parsing so it notices both stack smashing and alloc errors
* added getAvailableVersion(), moved _httpClientTimeout and _followRedirects to protected, added enum HTTPUpdateError
* auto numbering of HTTPUpdateError enum
* added getAvailableVersion(), debug output current current Sketch MD5
* Revert "added getAvailableVersion(), debug output current current Sketch MD5"
This reverts commit 60d2c7762e7fb1fed7fae37fa99be149e12f125c.
* Revert "auto numbering of HTTPUpdateError enum"
This reverts commit 61785b27da3f2d42f8f95316d78ce22e5b00103a.
* Revert "added getAvailableVersion(), moved _httpClientTimeout and _followRedirects to protected, added enum HTTPUpdateError"
This reverts commit cec84ed17ab149d3e48082293f9e2723246b7d0b.
* add redirect function
* enhanced redirect() by cache control and client stop
* updated redirect() comment
* replaced redirect() API calls in examples
* server.client().stop() not needed, redirect() does this
Adds the two missing error states when beginning an Update. There were debugging logs for this but the error state was not set which would lead to confusion
* Generate TZ.h from zoneinfo
Using tzdata pypi package that ships zoneinfo blobs
Can't use raw data package from IANA, need it built first
Minor tweaks to Espurna script that generated .md
More data than the original, not limited to ZONE/...
Zoneinfo source can be overwritten using path args, if needed
(but, probably not needed, since it would always be preferable to pull the latest version)
Also, allow to override certain names and tz strings independent
of tzdata values (resolves#9007)
This can reduce permanent RAM consumption significantly, if the last request had lots of arguments, but it assumes, that we do not need the arguments after we have handled a request.
Stop CI from pulling LLVM repos and using GNUPG keyservers,
ubuntu-latest already has clang-format-{13,14,15}
Fixes long-standing issue with -style=file:...
* fix possible leak of _postArgs array in case of returning early from _parseForm().
* don't use _postArgs member, but instead use a new local variable postArgs instead.
* same for _postArgsLen member vs.local postArgsLen.
* remove useless NULL pointer check before delete().
* Remove _postArgs member from ESP8266WebServer.h
* Remove searching through always empty _postArgs array in ESP8266WebServer-impl.h
Avoid a null pointer exception when ArduinoOTA.end() is called more than once and thus the UDP socket is already freed.
Also avoid unnecessary teardown if the class is not initialized yet (for example, begin() wasn't called yet, or end() is called multiple times).
* optionally move float emulation code into iram
allows doing float operation in iram
suitable for libraries like AccelStepper when called from ISR
* proposed changes for pio from @mcspr
* Resolve HWDT Reset with core_esp8266_vm
With the newer GCC compiler (after tag 3.0.2), example virtualmem was crashing with a HWDT reset.
Reordered some SPI register set lines in spi_init().
New ordering was based on ::begin in SPI.cpp
This change may resolve issues describe in
https://github.com/esp8266/Arduino/discussions/9010
* Added memory barrier to changes
spi_ctrl appears to need setting before other SPI registers
* added getAvailableVersion(), moved _httpClientTimeout and _followRedirects to protected, added enum HTTPUpdateError
* auto numbering of HTTPUpdateError enum
* added getAvailableVersion(), debug output current current Sketch MD5
* updated advanced updater php script
* switch case indention corrected
* Revert "added getAvailableVersion(), debug output current current Sketch MD5"
This reverts commit 60d2c7762e7fb1fed7fae37fa99be149e12f125c.
* Revert "auto numbering of HTTPUpdateError enum"
This reverts commit 61785b27da3f2d42f8f95316d78ce22e5b00103a.
* Revert "added getAvailableVersion(), moved _httpClientTimeout and _followRedirects to protected, added enum HTTPUpdateError"
This reverts commit cec84ed17ab149d3e48082293f9e2723246b7d0b.
* corrected incorrect merge with master
