From 42805aa953ddf44901387a224da1afed7824bfe1 Mon Sep 17 00:00:00 2001 From: Nao Yonashiro Date: Fri, 29 Apr 2022 17:16:25 +0900 Subject: [PATCH] fix: add escape sequence validation fix #335 --- decode_test.go | 9 +++++++++ internal/decoder/string.go | 7 +++++++ 2 files changed, 16 insertions(+) diff --git a/decode_test.go b/decode_test.go index 93b7f41..f5e2563 100644 --- a/decode_test.go +++ b/decode_test.go @@ -3959,3 +3959,12 @@ func TestIssue362(t *testing.T) { assertErr(t, err) assertEq(t, "TestEmbeddedPrimitiveAlias", originalCombiner, newCombiner) } + +func TestIssue335(t *testing.T) { + var v []string + in := []byte(`["\u","A"]`) + err := json.Unmarshal(in, &v) + if err == nil { + t.Errorf("unexpected success") + } +} diff --git a/internal/decoder/string.go b/internal/decoder/string.go index dc0a010..cef6688 100644 --- a/internal/decoder/string.go +++ b/internal/decoder/string.go @@ -2,6 +2,7 @@ package decoder import ( "bytes" + "fmt" "reflect" "unicode" "unicode/utf16" @@ -323,6 +324,12 @@ func (d *stringDecoder) decodeByte(buf []byte, cursor int64) ([]byte, int64, err if cursor+5 >= buflen { return nil, 0, errors.ErrUnexpectedEndOfJSON("escaped string", cursor) } + for i := int64(1); i <= 4; i++ { + c := char(b, cursor+i) + if !(('0' <= c && c <= '9') || ('a' <= c && c <= 'f') || ('A' <= c && c <= 'F')) { + return nil, 0, errors.ErrSyntax(fmt.Sprintf("json: invalid character %c in \\u hexadecimal character escape", c), cursor+i) + } + } cursor += 5 default: return nil, 0, errors.ErrUnexpectedEndOfJSON("escaped string", cursor)