fix: out-of-bounds accessing in advance_string() (#161)

* fix: out-of-bounds accessing in advance_string() * fix: use Clang12 as C compiler Co-authored-by: liuqiang <liuqiang.06@bytedance.com> Co-authored-by: duanyi.aster <duanyi.aster@bytedance.com>
2026-06-21 00:46:43 +08:00 · 2021-12-21 20:03:01 +08:00 · 2021-12-21 20:03:01 +08:00 · 8dfaa13d3e
commit 8dfaa13d3e
parent 188e829dd7
8 changed files with 1161 additions and 1142 deletions
--- a/internal/native/avx/native_amd64.s
+++ b/internal/native/avx/native_amd64.s
--- a/internal/native/avx/native_amd64_test.go
+++ b/internal/native/avx/native_amd64_test.go
@ -43,6 +43,16 @@ func TestNative_Value(t *testing.T) {
    assert.Equal(t, 3, v.Ep)
 }

+func TestNative_Value_OutOfBound(t *testing.T) {
+    var v types.JsonState
+    mem := []byte{'"', '"'}
+    s := rt.Mem2Str(mem[:1])
+    p := (*rt.GoString)(unsafe.Pointer(&s))
+    x := __value(p.Ptr, p.Len, 0, &v, 0)
+    assert.Equal(t, 1, x)
+    assert.Equal(t, -int(types.ERR_EOF), int(v.Vt))
+}
+
 func TestNative_Quote(t *testing.T) {
    s := "hello\b\f\n\r\t\\\"\u666fworld"
    d := make([]byte, 256)
--- a/internal/native/avx/native_subr_amd64.go
+++ b/internal/native/avx/native_subr_amd64.go
@ -14,16 +14,16 @@ var (
    _subr__lspace      = __native_entry__() + 301
    _subr__lzero       = __native_entry__() + 13
    _subr__quote       = __native_entry__() + 4955
-    _subr__skip_array  = __native_entry__() + 17298
-    _subr__skip_object = __native_entry__() + 17333
-    _subr__skip_one    = __native_entry__() + 15505
+    _subr__skip_array  = __native_entry__() + 17304
+    _subr__skip_object = __native_entry__() + 17339
+    _subr__skip_one    = __native_entry__() + 15525
    _subr__u64toa      = __native_entry__() + 3735
    _subr__unquote     = __native_entry__() + 5888
    _subr__value       = __native_entry__() + 10928
-    _subr__vnumber     = __native_entry__() + 13704
-    _subr__vsigned     = __native_entry__() + 14977
-    _subr__vstring     = __native_entry__() + 12691
-    _subr__vunsigned   = __native_entry__() + 15236
+    _subr__vnumber     = __native_entry__() + 13724
+    _subr__vsigned     = __native_entry__() + 14997
+    _subr__vstring     = __native_entry__() + 12689
+    _subr__vunsigned   = __native_entry__() + 15256
 )

 var (
--- a/internal/native/avx2/native_amd64.s
+++ b/internal/native/avx2/native_amd64.s
--- a/internal/native/avx2/native_amd64_test.go
+++ b/internal/native/avx2/native_amd64_test.go
@ -43,6 +43,16 @@ func TestNative_Value(t *testing.T) {
    assert.Equal(t, 3, v.Ep)
 }

+func TestNative_Value_OutOfBound(t *testing.T) {
+    var v types.JsonState
+    mem := []byte{'"', '"'}
+    s := rt.Mem2Str(mem[:1])
+    p := (*rt.GoString)(unsafe.Pointer(&s))
+    x := __value(p.Ptr, p.Len, 0, &v, 0)
+    assert.Equal(t, 1, x)
+    assert.Equal(t, -int(types.ERR_EOF), int(v.Vt))
+}
+
 func TestNative_Quote(t *testing.T) {
    s := "hello\b\f\n\r\t\\\"\u666fworld"
    d := make([]byte, 256)
--- a/internal/native/avx2/native_subr_amd64.go
+++ b/internal/native/avx2/native_subr_amd64.go
@ -14,16 +14,16 @@ var (
    _subr__lspace      = __native_entry__() + 429
    _subr__lzero       = __native_entry__() + 13
    _subr__quote       = __native_entry__() + 5328
-    _subr__skip_array  = __native_entry__() + 20361
-    _subr__skip_object = __native_entry__() + 20396
-    _subr__skip_one    = __native_entry__() + 17472
+    _subr__skip_array  = __native_entry__() + 20330
+    _subr__skip_object = __native_entry__() + 20365
+    _subr__skip_one    = __native_entry__() + 17473
    _subr__u64toa      = __native_entry__() + 4008
    _subr__unquote     = __native_entry__() + 7125
    _subr__value       = __native_entry__() + 13020
-    _subr__vnumber     = __native_entry__() + 15671
-    _subr__vsigned     = __native_entry__() + 16944
-    _subr__vstring     = __native_entry__() + 14794
-    _subr__vunsigned   = __native_entry__() + 17203
+    _subr__vnumber     = __native_entry__() + 15672
+    _subr__vsigned     = __native_entry__() + 16945
+    _subr__vstring     = __native_entry__() + 14795
+    _subr__vunsigned   = __native_entry__() + 17204
 )

 var (
--- a/internal/native/native_amd64_test.tmpl
+++ b/internal/native/native_amd64_test.tmpl
@ -41,6 +41,16 @@ func TestNative_Value(t *testing.T) {
    assert.Equal(t, 3, v.Ep)
 }

+func TestNative_Value_OutOfBound(t *testing.T) {
+    var v types.JsonState
+    mem := []byte{'"', '"'}
+    s := rt.Mem2Str(mem[:1])
+    p := (*rt.GoString)(unsafe.Pointer(&s))
+    x := __value(p.Ptr, p.Len, 0, &v, 0)
+    assert.Equal(t, 1, x)
+    assert.Equal(t, -int(types.ERR_EOF), int(v.Vt))
+}
+
 func TestNative_Quote(t *testing.T) {
    s := "hello\b\f\n\r\t\\\"\u666fworld"
    d := make([]byte, 256)
--- a/native/scanning.c
+++ b/native/scanning.c
@ -107,6 +107,11 @@ static inline ssize_t advance_string(const GoString *src, long p, int64_t *ep) {
    uint64_t m1;
    uint64_t cr = 0;

+    /* prevent out-of-bounds accessing */
+    if (unlikely(src->len == p)) {
+        return -ERR_EOF;
+    }
+
    /* buffer pointers */
    size_t       nb = src->len;
    const char * sp = src->buf;
@ -318,7 +323,7 @@ long value(const char *s, size_t n, long p, JsonState *ret, int allow_control) {
    long     q = p;
    GoString m = {.buf = s, .len = n};

-    /* parse the next identifier */
+    /* parse the next identifier, q is UNSAFE, may cause out-of-bounds accessing */
    switch (advance_ns(&m, &q)) {
        case '-' : /* fallthrough */
        case '0' : /* fallthrough */