JSONSerialization: fix a crash when an escape sequence contains low-surrogate code point without the corresponding high-surrogate code point

broadwaylamb · broadwaylamb · commit f1392681703c · 2018-12-12T14:24:24.000+03:00
diff --git a/Foundation/JSONSerialization.swift b/Foundation/JSONSerialization.swift
@@ -738,11 +738,20 @@ private struct JSONReader {
             return nil
         }
 
-        if !UTF16.isLeadSurrogate(codeUnit) {
+        let isLeadSurrogate = UTF16.isLeadSurrogate(codeUnit)
+        let isTrailSurrogate = UTF16.isTrailSurrogate(codeUnit)
+
+        if !isLeadSurrogate && !isTrailSurrogate {
             return (String(UnicodeScalar(codeUnit)!), index)
         }
 
-        guard let (trailCodeUnit, finalIndex) = try consumeASCIISequence("\\u", input: index).flatMap(parseCodeUnit) , UTF16.isTrailSurrogate(trailCodeUnit) else {
+        guard !isTrailSurrogate else {
+            throw NSError(domain: NSCocoaErrorDomain, code: CocoaError.propertyListReadCorrupt.rawValue, userInfo: [
+                "NSDebugDescription" : "Unable to convert unicode escape sequence (no high-surrogate code point) to UTF8-encoded character at position \(source.distanceFromStart(input))"
+            ])
+        }
+
+        guard let (trailCodeUnit, finalIndex) = try consumeASCIISequence("\\u", input: index).flatMap(parseCodeUnit), UTF16.isTrailSurrogate(trailCodeUnit) else {
             throw NSError(domain: NSCocoaErrorDomain, code: CocoaError.propertyListReadCorrupt.rawValue, userInfo: [
                 "NSDebugDescription" : "Unable to convert unicode escape sequence (no low-surrogate code point) to UTF8-encoded character at position \(source.distanceFromStart(input))"
             ])
diff --git a/TestFoundation/TestJSONSerialization.swift b/TestFoundation/TestJSONSerialization.swift
@@ -115,6 +115,7 @@ extension TestJSONSerialization {
             ("test_deserialize_invalidValueInArray_withData", test_deserialize_invalidValueInArray_withData),
             ("test_deserialize_badlyFormedArray_withData", test_deserialize_badlyFormedArray_withData),
             ("test_deserialize_invalidEscapeSequence_withData", test_deserialize_invalidEscapeSequence_withData),
+            ("test_deserialize_unicodeMissingLeadingSurrogate_withData", test_deserialize_unicodeMissingLeadingSurrogate_withData),
             ("test_deserialize_unicodeMissingTrailingSurrogate_withData", test_deserialize_unicodeMissingTrailingSurrogate_withData),
 
             //Deserialization with Stream
@@ -146,6 +147,7 @@ extension TestJSONSerialization {
             ("test_deserialize_invalidValueInArray_withStream", test_deserialize_invalidValueInArray_withStream),
             ("test_deserialize_badlyFormedArray_withStream", test_deserialize_badlyFormedArray_withStream),
             ("test_deserialize_invalidEscapeSequence_withStream", test_deserialize_invalidEscapeSequence_withStream),
+            ("test_deserialize_unicodeMissingLeadingSurrogate_withStream", test_deserialize_unicodeMissingLeadingSurrogate_withStream),
             ("test_deserialize_unicodeMissingTrailingSurrogate_withStream", test_deserialize_unicodeMissingTrailingSurrogate_withStream),
             ("test_JSONObjectWithStream_withFile", test_JSONObjectWithStream_withFile),
             ("test_JSONObjectWithStream_withURL", test_JSONObjectWithStream_withURL),
@@ -242,6 +244,10 @@ extension TestJSONSerialization {
         deserialize_invalidEscapeSequence(objectType: .data)
     }
 
+    func test_deserialize_unicodeMissingLeadingSurrogate_withData() {
+        deserialize_unicodeMissingLeadingSurrogate(objectType: .data)
+    }
+
     func test_deserialize_unicodeMissingTrailingSurrogate_withData() {
         deserialize_unicodeMissingTrailingSurrogate(objectType: .data)
     }
@@ -336,6 +342,10 @@ extension TestJSONSerialization {
         deserialize_invalidEscapeSequence(objectType: .stream)
     }
 
+    func test_deserialize_unicodeMissingLeadingSurrogate_withStream() {
+        deserialize_unicodeMissingLeadingSurrogate(objectType: .stream)
+    }
+
     func test_deserialize_unicodeMissingTrailingSurrogate_withStream() {
         deserialize_unicodeMissingTrailingSurrogate(objectType: .stream)
     }
@@ -738,6 +748,20 @@ extension TestJSONSerialization {
         }
     }
 
+    func deserialize_unicodeMissingLeadingSurrogate(objectType: ObjectType) {
+        let subject = "[\"\\uDFF3\"]"
+        do {
+            guard let data = subject.data(using: .utf8) else {
+                XCTFail("Unable to convert string to data")
+                return
+            }
+            let _ = try getjsonObjectResult(data, objectType) as? [String]
+            XCTFail("Expected error: Missing Leading Surrogate")
+        } catch {
+            // Passing case; the unicode character is malformed
+        }
+    }
+
     func deserialize_unicodeMissingTrailingSurrogate(objectType: ObjectType) {
         let subject = "[\"\\uD834\"]"
         do {
