[JSON] Fix a potential buffer over read in floating point parsing.

rintaro · rintaro · commit 679b929fe2c3 · 2024-04-22T12:05:30.000-07:00
The source JSON buffer is not guaranteed to be null terminated. If a
number is at top-level, 'strtod'/'strtof' tries to read past the buffer
which is not great
diff --git a/Sources/SwiftCompilerPluginMessageHandling/JSON/JSONDecoding.swift b/Sources/SwiftCompilerPluginMessageHandling/JSON/JSONDecoding.swift
@@ -622,19 +622,40 @@ private enum _JSONNumberParser {
   }
 
   static func parseFloatingPoint<Floating: BinaryFloatingPoint>(source: UnsafeBufferPointer<UInt8>) -> Floating? {
-    var endPtr: UnsafeMutablePointer<CChar>? = nil
-    let value: Floating?
-    if Floating.self == Double.self {
-      value = Floating(exactly: strtod(source.baseAddress!, &endPtr))
-    } else if Floating.self == Float.self {
-      value = Floating(exactly: strtof(source.baseAddress!, &endPtr))
+    // Since source is not NUL terminated, we need to make a temporary storage.
+    // Depending on the length of the source, prepare the buffer on stack or heap,
+    // then call 'impl(_:)' (defined below) for the actual operation.
+    if source.count + 1 <= MemoryLayout<UInt64>.size {
+      var stash: UInt64 = 0
+      return withUnsafeMutableBytes(of: &stash) {
+        $0.withMemoryRebound(to: UInt8.self, impl)
+      }
     } else {
-      fatalError("unsupported floating point type")
+      let stash = UnsafeMutableBufferPointer<UInt8>.allocate(capacity: source.count + 1)
+      defer { stash.deallocate() }
+      return impl(stash)
     }
-    guard endPtr! == source.baseAddress! + source.count else {
-      return nil
+
+    func impl(_ stash: UnsafeMutableBufferPointer<UInt8>) -> Floating? {
+      // Create a NUL terminated string in the stash.
+      assert(stash.count >= source.count + 1)
+      let end = stash.initialize(fromContentsOf: source)
+      stash.initializeElement(at: end, to: 0)
+
+      var endPtr: UnsafeMutablePointer<CChar>? = nil
+      let value: Floating?
+      if Floating.self == Double.self {
+        value = Floating(exactly: strtod(stash.baseAddress!, &endPtr))
+      } else if Floating.self == Float.self {
+        value = Floating(exactly: strtof(stash.baseAddress!, &endPtr))
+      } else {
+        preconditionFailure("unsupported floating point type")
+      }
+      guard let endPtr, endPtr == stash.baseAddress! + source.count else {
+        return nil
+      }
+      return value
     }
-    return value
   }
 
   static func parseHexIntegerDigits<Integer: FixedWidthInteger>(source: UnsafeBufferPointer<UInt8>) -> Integer? {
diff --git a/Tests/SwiftCompilerPluginTest/JSONTests.swift b/Tests/SwiftCompilerPluginTest/JSONTests.swift
@@ -172,6 +172,16 @@ final class JSONTests: XCTestCase {
     assertRoundTripTypeCoercionFailure(of: [0.0, 1.0] as [Double], as: [Bool].self)
   }
 
+  func testFloatingPointBufferBoundary() throws {
+    // Make sure floating point parsing does not read past the decoding JSON buffer.
+    var str = "0.199"
+    try str.withUTF8 { buf in
+      let truncated = UnsafeBufferPointer(rebasing: buf[0..<3])
+      XCTAssertEqual(try JSON.decode(Double.self, from: truncated), 0.1)
+      XCTAssertEqual(try JSON.decode(Float.self, from: truncated), 0.1)
+    }
+  }
+
   private func assertRoundTrip<T: Codable & Equatable>(
     of value: T,
     expectedJSON: String,
