Merge pull request #430 from orisano/fix/#429

fix: added buffer size check when decoding key
This commit is contained in:
Masaaki Goshima 2023-03-13 19:41:09 +09:00 committed by GitHub
commit 8a4a17d370
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 16 deletions

View File

@ -4015,3 +4015,18 @@ func TestIssue408(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
} }
func TestIssue429(t *testing.T) {
var x struct {
N int32
}
for _, b := range []string{
`{"\u"`,
`{"\u0"`,
`{"\u00"`,
} {
if err := json.Unmarshal([]byte(b), &x); err == nil {
t.Errorf("unexpected success")
}
}
}

View File

@ -158,49 +158,53 @@ func (d *structDecoder) tryOptimize() {
} }
// decode from '\uXXXX' // decode from '\uXXXX'
func decodeKeyCharByUnicodeRune(buf []byte, cursor int64) ([]byte, int64) { func decodeKeyCharByUnicodeRune(buf []byte, cursor int64) ([]byte, int64, error) {
const defaultOffset = 4 const defaultOffset = 4
const surrogateOffset = 6 const surrogateOffset = 6
if cursor+defaultOffset >= int64(len(buf)) {
return nil, 0, errors.ErrUnexpectedEndOfJSON("escaped string", cursor)
}
r := unicodeToRune(buf[cursor : cursor+defaultOffset]) r := unicodeToRune(buf[cursor : cursor+defaultOffset])
if utf16.IsSurrogate(r) { if utf16.IsSurrogate(r) {
cursor += defaultOffset cursor += defaultOffset
if cursor+surrogateOffset >= int64(len(buf)) || buf[cursor] != '\\' || buf[cursor+1] != 'u' { if cursor+surrogateOffset >= int64(len(buf)) || buf[cursor] != '\\' || buf[cursor+1] != 'u' {
return []byte(string(unicode.ReplacementChar)), cursor + defaultOffset - 1 return []byte(string(unicode.ReplacementChar)), cursor + defaultOffset - 1, nil
} }
cursor += 2 cursor += 2
r2 := unicodeToRune(buf[cursor : cursor+defaultOffset]) r2 := unicodeToRune(buf[cursor : cursor+defaultOffset])
if r := utf16.DecodeRune(r, r2); r != unicode.ReplacementChar { if r := utf16.DecodeRune(r, r2); r != unicode.ReplacementChar {
return []byte(string(r)), cursor + defaultOffset - 1 return []byte(string(r)), cursor + defaultOffset - 1, nil
} }
} }
return []byte(string(r)), cursor + defaultOffset - 1 return []byte(string(r)), cursor + defaultOffset - 1, nil
} }
func decodeKeyCharByEscapedChar(buf []byte, cursor int64) ([]byte, int64) { func decodeKeyCharByEscapedChar(buf []byte, cursor int64) ([]byte, int64, error) {
c := buf[cursor] c := buf[cursor]
cursor++ cursor++
switch c { switch c {
case '"': case '"':
return []byte{'"'}, cursor return []byte{'"'}, cursor, nil
case '\\': case '\\':
return []byte{'\\'}, cursor return []byte{'\\'}, cursor, nil
case '/': case '/':
return []byte{'/'}, cursor return []byte{'/'}, cursor, nil
case 'b': case 'b':
return []byte{'\b'}, cursor return []byte{'\b'}, cursor, nil
case 'f': case 'f':
return []byte{'\f'}, cursor return []byte{'\f'}, cursor, nil
case 'n': case 'n':
return []byte{'\n'}, cursor return []byte{'\n'}, cursor, nil
case 'r': case 'r':
return []byte{'\r'}, cursor return []byte{'\r'}, cursor, nil
case 't': case 't':
return []byte{'\t'}, cursor return []byte{'\t'}, cursor, nil
case 'u': case 'u':
return decodeKeyCharByUnicodeRune(buf, cursor) return decodeKeyCharByUnicodeRune(buf, cursor)
} }
return nil, cursor return nil, cursor, nil
} }
func decodeKeyByBitmapUint8(d *structDecoder, buf []byte, cursor int64) (int64, *structFieldSet, error) { func decodeKeyByBitmapUint8(d *structDecoder, buf []byte, cursor int64) (int64, *structFieldSet, error) {
@ -242,7 +246,10 @@ func decodeKeyByBitmapUint8(d *structDecoder, buf []byte, cursor int64) (int64,
return 0, nil, errors.ErrUnexpectedEndOfJSON("string", cursor) return 0, nil, errors.ErrUnexpectedEndOfJSON("string", cursor)
case '\\': case '\\':
cursor++ cursor++
chars, nextCursor := decodeKeyCharByEscapedChar(buf, cursor) chars, nextCursor, err := decodeKeyCharByEscapedChar(buf, cursor)
if err != nil {
return 0, nil, err
}
for _, c := range chars { for _, c := range chars {
curBit &= bitmap[keyIdx][largeToSmallTable[c]] curBit &= bitmap[keyIdx][largeToSmallTable[c]]
if curBit == 0 { if curBit == 0 {
@ -305,7 +312,10 @@ func decodeKeyByBitmapUint16(d *structDecoder, buf []byte, cursor int64) (int64,
return 0, nil, errors.ErrUnexpectedEndOfJSON("string", cursor) return 0, nil, errors.ErrUnexpectedEndOfJSON("string", cursor)
case '\\': case '\\':
cursor++ cursor++
chars, nextCursor := decodeKeyCharByEscapedChar(buf, cursor) chars, nextCursor, err := decodeKeyCharByEscapedChar(buf, cursor)
if err != nil {
return 0, nil, err
}
for _, c := range chars { for _, c := range chars {
curBit &= bitmap[keyIdx][largeToSmallTable[c]] curBit &= bitmap[keyIdx][largeToSmallTable[c]]
if curBit == 0 { if curBit == 0 {