ChangeLog and NEWS update for sexp parser fixes.

author Niels Möller <nisse@lysator.liu.se>

Fri, 2 Jan 2026 15:48:55 +0000 (16:48 +0100)

committer Niels Möller <nisse@lysator.liu.se>

Fri, 2 Jan 2026 15:48:55 +0000 (16:48 +0100)
author Niels Möller <nisse@lysator.liu.se>
Fri, 2 Jan 2026 15:48:55 +0000 (16:48 +0100)
committer Niels Möller <nisse@lysator.liu.se>
Fri, 2 Jan 2026 15:48:55 +0000 (16:48 +0100)
diff --git a/ChangeLog b/ChangeLog

index 203d5f9f314020cd0c67529542764fdba24b6ba2..0239f64188d8a944a3361b63825744d12cf5e000 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2026-01-02  Niels Möller  <nisse@lysator.liu.se>
+
+       * sexp.c (sexp_iterator_exit_list): Rewrite to not recurse via
+       sexp_iterator_next.
+
  2025-12-17  Niels Möller  <nisse@lysator.liu.se>
  
         * sexp.c (sexp_iterator_simple): Fix off-by-one error in length
diff --git a/NEWS b/NEWS

index 8b6d095aa8fd9fe7e2d7c11aefebe1238872b5d5..b9bba8b9d7d9467c75c4e388f0c59c29bfc2f414 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -130,6 +130,13 @@ NEWS for the Nettle 4.0 release
           Baryshkov years ago, but delayed, since it implies an ABI
           break.
  
+       Bug fixes:
+
+       * Fix off-by-one bug in sexp parser, which could result in a
+         one byte overread on invalid input. Also fix excessive
+         recursion and stack usage for some inputs. Both problems
+         reported via oss-fuzz.
+
         New features:
  
         * Support for SLH-DSA signatures (stateless hash-based digital
author	Niels Möller <nisse@lysator.liu.se>
	Fri, 2 Jan 2026 15:48:55 +0000 (16:48 +0100)
committer	Niels Möller <nisse@lysator.liu.se>
	Fri, 2 Jan 2026 15:48:55 +0000 (16:48 +0100)
ChangeLog		patch \| blob \| blame \| history
NEWS		patch \| blob \| blame \| history