v1.4.0

Release v1.4.0 (Dec 25, 2019)

Changes include:

• Feature: Deprecate bool encoding options and add int SortMode (commit 3b78ee0)
• Reliability: Use float16 to float32 conversion func that had all 65536 results verified to be correct (commit 48850b2)
• Fix: Fix decoding of float16 subnormal numbers (commit 48850b2)

Fuzzing passed 532+ million execs with Go 1.12 at the time of release.
Fuzzing passed 4+ billion execs with Go 1.13 about 17-18 days after release.

v1.3.4

Release v1.3.4 (Dec 18, 2019)

v1.3.1 to v.1.3.4 benefited from extensive code review and refactoring.

Changes include:

• Fix: Limit nested levels to 32 for arrays, maps, tags to prevent stack exhaustion exploits (commit 3aa4328)
• Fix: Fix error when decoding to not-nil interface (commit d26d3cd)
• Misc: Refactor to improve readability and maintainability (commit d2d6a95)

Fuzzing reached 370+ million execs with Go 1.12 at the time of release.

Update: On Dec. 25, 2019, fuzzing passed 2+ billion execs with Go 1.13.

corpus: 1092 (46h8m ago), crashers: 0, restarts: 1/10000, execs: 2028736632 (3194/sec), cover: 2006, uptime: 176h27m

v1.3.3

Release v1.3.3 (Dec 9, 2019)

Changes include:

• Fix: Fix panic when encoding new type with float32 as its underlying type (commit bb1c06a)
• Fix: Change CBOR string validation error from SemanticError to SyntaxError (commit acaec05)
• Fix: Reject CBOR indefinite length byte/text string with tagged chunks (commit 28e2c0b)
• Fix: Reject CBOR indefinite length text string with invalid UTF-8 chunks (commit 9f1f677)
• Misc: Add unit tests based on latest 7049bis and remove tests made redundant by this (commit ac1c292)

Fuzzing reached 276+ million execs at the time of release.

UPDATE: It continued fuzzing and reached 2.79+ billion execs about 8 days after release.

workers: 2, corpus: 1074 (44h26m ago), crashers: 0, restarts: 1/10000, execs: 2796329664 (3386/sec), cover: 2011, uptime: 229h25m

v1.3.2

Release v1.3.2 (Nov 27, 2019)

This release checks for additional issues while decoding well-formed CBOR messages.

Changes include:

• Skip CBOR array/map elements on incompatible Go type
• Check if CBOR type can be used as Go map key when map key type is interface{}

A separate project, cbor-fuzz was updated to use new fxamacker/cbor features it had missed. Cover is noticably higher (better) during fuzzing.

UPDATE: Fuzzing reached 4.2+ billion execs on Dec 3, 2019. Corpus is temporarily low (as shown here) for v1.3.2, but it's already 1000+ after combining Go 1.12 + Go 1.13 fuzzing corpus folders after this run.

2019/12/03 15:37:19 workers: 2, corpus: 602 (12h17m ago), crashers: 0, restarts: 1/10000, execs: 4226276531 (7203/sec), cover: 2000, uptime: 162h59m

v1.3.1

Release v1.3.1 (Nov 24, 2019)

Issue #46 resulted in filing an errata to RFC 7049 (CBOR) after the same mistake was found in both 7049 and Wikipedia. RFC 7049 author (cabo) confirmed within an hour directly in #46 which was super nice of him.

I'll let fuzzing continue for 1-10 days, due in part to issue #46 and initial valid fuzzing corpus. Maybe it'll generate fewer corpus files this time to reach a good stopping point.

Most users of v1.3.0 won't notice any practical difference from these bugfixes. They involve data validation rules and an obscure difference in sorting rule for canonical encoding.

Changes include:

• Fix: Relax decoding restriction on CBOR int to Go float (commit 71ea0c5)
• Fix: Separate CTAP2 and RFC 7049 canonical encoding (commit 7164aa3)
• Fix: Reject indefinite-length byte/text string if chunks are indefinite-length (commit a4adae8)
• Fix: Reject CBOR primitive 2-byte simple value < 32 (commit aa44241)

This release passed 877k+ executions (19 hours, and still running) of coverage-guided fuzzing using fxamacker/cbor-fuzz.

workers: 2, corpus: 403 (48s ago), crashers: 0, restarts: 1/10000, execs: 877930249 (12405/sec), cover: 1501, uptime: 19h39m

v1.3.0

New struct tags "keyasint" and "toarray" make it easy to use Go structs with CBOR maps and arrays. Using COSE, CWT, SenML, etc. is more natural with less programming effort.

Encoding and decoding speed is faster than prior releases due to safe optimizations. Encoding speed and structs got the biggest speedups.

Benchmark comparisons are hard in v1.3 because older releases lack "keyasint" and "toarray". Some of the biggest speedups are from no longer having to use Go maps with COSE, CWT, SenML, etc.

Specific changes include:

• Feature: Encode/Decode CBOR map with integer keys to Go struct with "keyasint" struct tag (commit 3cbdc26)
• Feature: Encode/Decode CBOR array to Go struct with "toarray" struct tag (commit 07c8226)
• Fix: Skip embedded struct pointed to by nil pointer during encoding (commit 593ee34)
• Speed: Improve decoding speed (commit 726c423, 23d2052)
• Speed: Improve encoding speed (commit 8ea465d, d85552b, 90423eb, 05e6b7c)
• Misc: Refactor (commit ca1f6f1, be23d57, 1e745c3)
• Misc: Add examples and benchmarks (commit 61d7682, 2964577, 6c17db7)

This release passed 2+ billion executions (72 hours) of coverage-guided fuzzing using fxamacker/cbor-fuzz v0.7.0:

workers: 2, corpus: 719 (72h27m ago), crashers: 0, restarts: 1/10000, execs: 2275843330 (8725/sec), cover: 1492, uptime: 72h27m

v1.2.0

Changes include:

• Feature: Add RawMessage, Marshaler, and Unmarshaler (commit 1a29187)
• Speed: Improve decoding into struct speed by +23% (commit 9ff43a1)
• Fix: Return error on decoding unsupported CBOR neg int (commit 47055e7)
• Misc: Add benchmarks using COSE and WebAuthn data (commit 22732d7)
• Misc: Add more tests, including malicious CBOR data (credit: oasislabs/oasis-core)
• Misc: Update README.md

This release passed 42 hours of fuzzing with fxamacker/cbor-fuzz v0.7.0.

v1.1.2

Prevent an inappropriate use of BinaryUnmarshaler.

Specifically, don't allow CBOR byte string (major type 2) as input to Go's Time.UnmarshalBinary.

Time values should only be encoded/decoded using these CBOR data types: pos or neg integer, float, and text string. For more info, see RFC 7049 section 2.4.1.

For details, see commit 34ffc3a.

This release passed 24+ hours of fuzzing with fxamacker/cbor-fuzz v0.6.0.

v1.1.1

Improve slice encoding speed by 50%, struct by 30%, and map by 14%.

For details, see commit 29e05d7.

v1.1.0

Add support for encoding.BinaryMarshaler and encoding.BinaryUnmarshaler interfaces.

• Encoder encodes value implementing encoding.BinaryMarshaler as CBOR byte string.
• Decoder decodes CBOR byte string into a value implementing encoding.BinaryUnmarshaler.

For details, see commit 602ddc7 closing Issue #5.