fix: added buffer size check when decoding key

fix #429
2023-02-22 20:54:26 +09:00 · 2023-02-22 20:54:26 +09:00 · cdbc29239b
parent a2149a5b25
commit cdbc29239b
2 changed files with 41 additions and 16 deletions
--- a/decode_test.go
+++ b/decode_test.go
@ -4015,3 +4015,18 @@ func TestIssue408(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestIssue429(t *testing.T) {
+	var x struct {
+		N int32
+	}
+	for _, b := range []string{
+		`{"\u"`,
+		`{"\u0"`,
+		`{"\u00"`,
+	} {
+		if err := json.Unmarshal([]byte(b), &x); err == nil {
+			t.Errorf("unexpected success")
+		}
+	}
+}
--- a/internal/decoder/struct.go
+++ b/internal/decoder/struct.go
@ -158,49 +158,53 @@ func (d *structDecoder) tryOptimize() {
 }

 // decode from '\uXXXX'
-func decodeKeyCharByUnicodeRune(buf []byte, cursor int64) ([]byte, int64) {
+func decodeKeyCharByUnicodeRune(buf []byte, cursor int64) ([]byte, int64, error) {
 	const defaultOffset = 4
 	const surrogateOffset = 6

+	if cursor+defaultOffset >= int64(len(buf)) {
+		return nil, 0, errors.ErrUnexpectedEndOfJSON("escaped string", cursor)
+	}
+
 	r := unicodeToRune(buf[cursor : cursor+defaultOffset])
 	if utf16.IsSurrogate(r) {
 		cursor += defaultOffset
 		if cursor+surrogateOffset >= int64(len(buf)) || buf[cursor] != '\\' || buf[cursor+1] != 'u' {
-			return []byte(string(unicode.ReplacementChar)), cursor + defaultOffset - 1
+			return []byte(string(unicode.ReplacementChar)), cursor + defaultOffset - 1, nil
 		}
 		cursor += 2
 		r2 := unicodeToRune(buf[cursor : cursor+defaultOffset])
 		if r := utf16.DecodeRune(r, r2); r != unicode.ReplacementChar {
-			return []byte(string(r)), cursor + defaultOffset - 1
+			return []byte(string(r)), cursor + defaultOffset - 1, nil
 		}
 	}
-	return []byte(string(r)), cursor + defaultOffset - 1
+	return []byte(string(r)), cursor + defaultOffset - 1, nil
 }

-func decodeKeyCharByEscapedChar(buf []byte, cursor int64) ([]byte, int64) {
+func decodeKeyCharByEscapedChar(buf []byte, cursor int64) ([]byte, int64, error) {
 	c := buf[cursor]
 	cursor++
 	switch c {
 	case '"':
-		return []byte{'"'}, cursor
+		return []byte{'"'}, cursor, nil
 	case '\\':
-		return []byte{'\\'}, cursor
+		return []byte{'\\'}, cursor, nil
 	case '/':
-		return []byte{'/'}, cursor
+		return []byte{'/'}, cursor, nil
 	case 'b':
-		return []byte{'\b'}, cursor
+		return []byte{'\b'}, cursor, nil
 	case 'f':
-		return []byte{'\f'}, cursor
+		return []byte{'\f'}, cursor, nil
 	case 'n':
-		return []byte{'\n'}, cursor
+		return []byte{'\n'}, cursor, nil
 	case 'r':
-		return []byte{'\r'}, cursor
+		return []byte{'\r'}, cursor, nil
 	case 't':
-		return []byte{'\t'}, cursor
+		return []byte{'\t'}, cursor, nil
 	case 'u':
 		return decodeKeyCharByUnicodeRune(buf, cursor)
 	}
-	return nil, cursor
+	return nil, cursor, nil
 }

 func decodeKeyByBitmapUint8(d *structDecoder, buf []byte, cursor int64) (int64, *structFieldSet, error) {
@ -242,7 +246,10 @@ func decodeKeyByBitmapUint8(d *structDecoder, buf []byte, cursor int64) (int64,
 					return 0, nil, errors.ErrUnexpectedEndOfJSON("string", cursor)
 				case '\\':
 					cursor++
-					chars, nextCursor := decodeKeyCharByEscapedChar(buf, cursor)
+					chars, nextCursor, err := decodeKeyCharByEscapedChar(buf, cursor)
+					if err != nil {
+						return 0, nil, err
+					}
 					for _, c := range chars {
 						curBit &= bitmap[keyIdx][largeToSmallTable[c]]
 						if curBit == 0 {
@ -305,7 +312,10 @@ func decodeKeyByBitmapUint16(d *structDecoder, buf []byte, cursor int64) (int64,
 					return 0, nil, errors.ErrUnexpectedEndOfJSON("string", cursor)
 				case '\\':
 					cursor++
-					chars, nextCursor := decodeKeyCharByEscapedChar(buf, cursor)
+					chars, nextCursor, err := decodeKeyCharByEscapedChar(buf, cursor)
+					if err != nil {
+						return 0, nil, err
+					}
 					for _, c := range chars {
 						curBit &= bitmap[keyIdx][largeToSmallTable[c]]
 						if curBit == 0 {