{
  "repository": "alibaba/xquic",
  "commit_source": "git_rev_parse",
  "commit_sha": "96155cffbde7f062fe45ac3f6899f47e25709d30",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "96155cffbde7f062fe45ac3f6899f47e25709d30",
    "version": "v1.9.4",
    "ref": "v1.9.4",
    "display": "alibaba/xquic v1.9.4 (commit 96155cf) - vulnerable, line intact"
  },
  "variant_target": {
    "target_kind": "git_tag_with_local_patch",
    "commit_sha": "96155cffbde7f062fe45ac3f6899f47e25709d30",
    "version": "v1.9.4",
    "ref": "v1.9.4 + local one-line patch",
    "display": "alibaba/xquic v1.9.4 (commit 96155cf) + local one-line fix: ori_sz1 = rmem->capacity - soffset_ori at src/common/utils/ringmem/xqc_ring_mem.c:129 (no upstream patch exists; v1.9.4 is the latest release as of 2026-07-09)"
  },
  "vulnerable_revision": {
    "commit_sha": "96155cffbde7f062fe45ac3f6899f47e25709d30",
    "ref": "v1.9.4",
    "source_path": "src/common/utils/ringmem/xqc_ring_mem.c",
    "vulnerable_line": 129,
    "vulnerable_line_content": "size_t ori_sz1 = mcap - soffset_ori;    /* size of first block in original buffer */"
  },
  "fixed_revision": {
    "commit_sha": "96155cffbde7f062fe45ac3f6899f47e25709d30",
    "ref": "v1.9.4 + local one-line patch",
    "source_path": "src/common/utils/ringmem/xqc_ring_mem.c",
    "fixed_line": 129,
    "fixed_line_content": "size_t ori_sz1 = rmem->capacity - soffset_ori;    /* size of first block in original buffer */",
    "patch_description": "single-line sed patch applied to a copy of the v1.9.4 tree (repo-fixed); no upstream fix commit exists"
  },
  "latest_release_check": {
    "latest_release": "v1.9.4",
    "latest_release_commit": "96155cffbde7f062fe45ac3f6899f47e25709d30",
    "checked_on": "2026-07-09",
    "upstream_fix_exists": false,
    "source": "github.com/alibaba/xquic releases (26 releases, v1.9.4 latest 2026-06-23) + disclosure stating no patch available"
  },
  "build_identity": {
    "vuln_asan_bin": "demo_server_vuln_asan (built from repo @ 96155cf, ASAN/Debug)",
    "fixed_asan_bin": "demo_server_fixed_asan (built from repo-fixed @ 96155cf + one-line patch, ASAN/Debug)",
    "ssl_backend": "Tongsuo/BabaSSL 8.4-stable",
    "compiler": "gcc 15.2.0, -fsanitize=address -fno-omit-frame-pointer -g -O1",
    "client": "quic-go v0.60.0 (Go 1.26.5), parameterized"
  },
  "notes": "Both vulnerable and fixed ASAN binaries were built from the same base commit 96155cf; the fixed binary adds the one-line ori_sz1 correction. The exact tested revisions are also persisted in bundle/logs/vuln_variant/{vulnerable,fixed,latest}_version.txt and source_revision_summary.txt."
}
