lib: yyjson: add Unicode replacement and surrogate tolerance flags

Upstream PR: ibireme/yyjson#227

Signed-off-by: Eduardo Silva <[email protected]>

Author: edsiper

lib/yyjson-0.12.0/src/yyjson.c

@@ -4657,7 +4657,8 @@ static_inline bool read_num(u8 **ptr, u8 **pre, yyjson_read_flag flg,
  *============================================================================*/
 
 /** Read unicode escape sequence. */
-static_inline bool read_uni_esc(u8 **src_ptr, u8 **dst_ptr, const char **msg) {
+static_inline bool read_uni_esc(u8 **src_ptr, u8 **dst_ptr,
+                                const char **msg, yyjson_read_flag flg) {
 #define return_err(_end, _msg) *msg = _msg; *src_ptr = _end; return false
 
     u8 *src = *src_ptr;
@@ -4667,6 +4668,15 @@ static_inline bool read_uni_esc(u8 **src_ptr, u8 **dst_ptr, const char **msg) {
 
     src += 2; /* skip `\u` */
     if (unlikely(!hex_load_4(src, &hi))) {
+        if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+            usize cnt = 0;
+            while (cnt < 4 && char_is_hex(src[cnt])) cnt++;
+            src += cnt;
+            *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+            *src_ptr = src;
+            *dst_ptr = dst;
+            return true;
+        }
         return_err(src - 2, "invalid escaped sequence in string");
     }
     src += 4; /* skip hex */
@@ -4682,18 +4692,83 @@ static_inline bool read_uni_esc(u8 **src_ptr, u8 **dst_ptr, const char **msg) {
         } else {
             *dst++ = (u8)hi;
         }
-    } else {
+    } else if ((hi & 0xFC00) == 0xD800) {
         /* a non-BMP character, represented as a surrogate pair */
-        if (unlikely((hi & 0xFC00) != 0xD800)) {
-            return_err(src - 6, "invalid high surrogate in string");
-        }
         if (unlikely(!byte_match_2(src, "\\u"))) {
+            if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+                *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+                *src_ptr = src;
+                *dst_ptr = dst;
+                return true;
+            }
+            if (has_allow(INVALID_SURROGATE)) {
+                if (hi >= 0x800) {
+                    *dst++ = (u8)(0xE0 | (hi >> 12));
+                    *dst++ = (u8)(0x80 | ((hi >> 6) & 0x3F));
+                    *dst++ = (u8)(0x80 | (hi & 0x3F));
+                } else if (hi >= 0x80) {
+                    *dst++ = (u8)(0xC0 | (hi >> 6));
+                    *dst++ = (u8)(0x80 | (hi & 0x3F));
+                } else {
+                    *dst++ = (u8)hi;
+                }
+                *src_ptr = src;
+                *dst_ptr = dst;
+                return true;
+            }
             return_err(src - 6, "no low surrogate in string");
         }
         if (unlikely(!hex_load_4(src + 2, &lo))) {
+            if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+                usize cnt = 0;
+                src += 2; /* skip \u */
+                while (cnt < 4 && char_is_hex(src[cnt])) cnt++;
+                src += cnt;
+                *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+                *src_ptr = src;
+                *dst_ptr = dst;
+                return true;
+            }
+            if (has_allow(INVALID_SURROGATE)) {
+                if (hi >= 0x800) {
+                    *dst++ = (u8)(0xE0 | (hi >> 12));
+                    *dst++ = (u8)(0x80 | ((hi >> 6) & 0x3F));
+                    *dst++ = (u8)(0x80 | (hi & 0x3F));
+                } else if (hi >= 0x80) {
+                    *dst++ = (u8)(0xC0 | (hi >> 6));
+                    *dst++ = (u8)(0x80 | (hi & 0x3F));
+                } else {
+                    *dst++ = (u8)hi;
+                }
+                *src_ptr = src;
+                *dst_ptr = dst;
+                return true;
+            }
             return_err(src - 6, "invalid escape in string");
         }
         if (unlikely((lo & 0xFC00) != 0xDC00)) {
+            if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+                src += 6;
+                *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+                *src_ptr = src;
+                *dst_ptr = dst;
+                return true;
+            }
+            if (has_allow(INVALID_SURROGATE)) {
+                if (hi >= 0x800) {
+                    *dst++ = (u8)(0xE0 | (hi >> 12));
+                    *dst++ = (u8)(0x80 | ((hi >> 6) & 0x3F));
+                    *dst++ = (u8)(0x80 | (hi & 0x3F));
+                } else if (hi >= 0x80) {
+                    *dst++ = (u8)(0xC0 | (hi >> 6));
+                    *dst++ = (u8)(0x80 | (hi & 0x3F));
+                } else {
+                    *dst++ = (u8)hi;
+                }
+                *src_ptr = src;
+                *dst_ptr = dst;
+                return true;
+            }
             return_err(src - 6, "invalid low surrogate in string");
         }
         uni = ((((u32)hi - 0xD800) << 10) |
@@ -4703,6 +4778,26 @@ static_inline bool read_uni_esc(u8 **src_ptr, u8 **dst_ptr, const char **msg) {
         *dst++ = (u8)(0x80 | ((uni >> 6) & 0x3F));
         *dst++ = (u8)(0x80 | (uni & 0x3F));
         src += 6;
+    } else { /* low surrogate without preceding high surrogate */
+        if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+            *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+            *src_ptr = src;
+            *dst_ptr = dst;
+            return true;
+        }
+        if (!has_allow(INVALID_SURROGATE)) {
+            return_err(src - 6, "invalid low surrogate in string");
+        }
+        if (hi >= 0x800) {
+            *dst++ = (u8)(0xE0 | (hi >> 12));
+            *dst++ = (u8)(0x80 | ((hi >> 6) & 0x3F));
+            *dst++ = (u8)(0x80 | (hi & 0x3F));
+        } else if (hi >= 0x80) {
+            *dst++ = (u8)(0xC0 | (hi >> 6));
+            *dst++ = (u8)(0x80 | (hi & 0x3F));
+        } else {
+            *dst++ = (u8)hi;
+        }
     }
     *src_ptr = src;
     *dst_ptr = dst;
@@ -4855,6 +4950,12 @@ static_inline bool read_str_opt(u8 quo, u8 **ptr, u8 *eof, yyjson_read_flag flg,
         }
 #endif
         if (unlikely(pos == src)) {
+            if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+                dst = src;
+                *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+                ++src;
+                goto copy_utf8;
+            }
             if (has_allow(INVALID_UNICODE)) ++src;
             else return_err(src, "invalid UTF-8 encoding in string");
         }
@@ -4876,7 +4977,7 @@ static_inline bool read_str_opt(u8 quo, u8 **ptr, u8 *eof, yyjson_read_flag flg,
             case 't':  *dst++ = '\t'; src++; break;
             case 'u':
                 src--;
-                if (!read_uni_esc(&src, &dst, msg)) return_err(src, *msg);
+                if (!read_uni_esc(&src, &dst, msg, flg)) return_err(src, *msg);
                 break;
             default: {
                 if (has_allow(EXT_ESCAPE)) {
@@ -4935,11 +5036,17 @@ static_inline bool read_str_opt(u8 quo, u8 **ptr, u8 *eof, yyjson_read_flag flg,
         if (con) con[0] = con[1] = NULL;
         return true;
     } else {
-        if (!has_allow(INVALID_UNICODE)) {
-            return_err(src, "unexpected control character in string");
+        if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+            if (src >= eof) return_err(src, "unclosed string");
+            *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+            src++;
+        } else {
+            if (!has_allow(INVALID_UNICODE)) {
+                return_err(src, "unexpected control character in string");
+            }
+            if (src >= eof) return_err(src, "unclosed string");
+            *dst++ = *src++;
         }
-        if (src >= eof) return_err(src, "unclosed string");
-        *dst++ = *src++;
     }
 
 copy_ascii:
@@ -5027,6 +5134,11 @@ static_inline bool read_str_opt(u8 quo, u8 **ptr, u8 *eof, yyjson_read_flag flg,
         }
 #endif
         if (unlikely(pos == src)) {
+            if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+                *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+                ++src;
+                goto copy_utf8;
+            }
             if (!has_allow(INVALID_UNICODE)) {
                 return_err(src, MSG_ERR_UTF8);
             }
@@ -5131,7 +5243,7 @@ static_noinline bool read_str_id(u8 **ptr, u8 *eof, yyjson_read_flag flg,
     dst = src;
 copy_escape:
     if (byte_match_2(src, "\\u")) {
-        if (!read_uni_esc(&src, &dst, msg)) return_err(src, *msg);
+        if (!read_uni_esc(&src, &dst, msg, flg)) return_err(src, *msg);
     } else {
         if (!char_is_id_next(*src)) return_suc(dst, src);
         return_err(src, "unexpected character in key");
@@ -5183,10 +5295,17 @@ static_noinline bool read_str_id(u8 **ptr, u8 *eof, yyjson_read_flag flg,
             dst += 4; src += 4;
         } else {
 #if !YYJSON_DISABLE_UTF8_VALIDATION
-            if (!has_allow(INVALID_UNICODE)) return_err(src, MSG_ERR_UTF8);
+            if (!has_allow(INVALID_UNICODE) &&
+                !has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1))
+                return_err(src, MSG_ERR_UTF8);
 #endif
-            *dst = *src;
-            dst += 1; src += 1;
+            if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+                *dst++ = 0xEF; *dst++ = 0xBF; *dst++ = 0xBD;
+                src += 1;
+            } else {
+                *dst = *src;
+                dst += 1; src += 1;
+            }
         }
     }
     if (char_is_id_ascii(*src)) goto copy_ascii;
@@ -6206,6 +6325,13 @@ yyjson_doc *yyjson_read_opts(char *dat, usize len,
     }
     memset(eof, 0, YYJSON_PADDING_SIZE);
 
+    /* replacement has highest precedence: tolerate and replace all invalid
+       sequences so that the final output is always valid UTF-8 */
+    if (has_rflag(flg, YYJSON_READ_REPLACE_INVALID_UNICODE, 1)) {
+        flg |= YYJSON_READ_ALLOW_INVALID_UNICODE;
+        flg |= YYJSON_READ_ALLOW_INVALID_SURROGATE;
+    }
+
     if (has_allow(BOM)) {
         if (len >= 3 && is_utf8_bom(cur)) cur += 3;
     }
@@ -6488,6 +6614,8 @@ yyjson_incr_state *yyjson_incr_new(char *buf, size_t buf_len,
     flg &= ~YYJSON_READ_JSON5;
     flg &= ~YYJSON_READ_ALLOW_BOM;
     flg &= ~YYJSON_READ_ALLOW_INVALID_UNICODE;
+    flg &= ~YYJSON_READ_ALLOW_INVALID_SURROGATE;
+    flg &= ~YYJSON_READ_REPLACE_INVALID_UNICODE;
 
     if (unlikely(!buf)) return NULL;
     if (unlikely(buf_len >= USIZE_MAX - YYJSON_PADDING_SIZE)) return NULL;

lib/yyjson-0.12.0/src/yyjson.h

@@ -760,14 +760,13 @@ static const yyjson_read_flag YYJSON_READ_ALLOW_INF_AND_NAN         = 1 << 4;
     inf/nan literal is also read as raw with `ALLOW_INF_AND_NAN` flag. */
 static const yyjson_read_flag YYJSON_READ_NUMBER_AS_RAW             = 1 << 5;
 
-/** Allow reading invalid unicode when parsing string values (non-standard).
-    Invalid characters will be allowed to appear in the string values, but
-    invalid escape sequences will still be reported as errors.
-    This flag does not affect the performance of correctly encoded strings.
-
-    @warning Strings in JSON values may contain incorrect encoding when this
-    option is used, you need to handle these strings carefully to avoid security
-    risks. */
+/** Allow reading raw invalid UTF-8 bytes in strings (non-standard).
+    This flag only affects raw bytes; `\uXXXX` escapes still require valid
+    surrogate pairs unless `YYJSON_READ_ALLOW_INVALID_SURROGATE` is also set.
+    Invalid escape sequences will still be reported as errors.
+
+    @warning Strings may contain ill-formed UTF-8 when this option is used,
+    you need to handle these strings carefully to avoid security risks. */
 static const yyjson_read_flag YYJSON_READ_ALLOW_INVALID_UNICODE     = 1 << 6;
 
 /** Read big numbers as raw strings. These big numbers include integers that
@@ -810,6 +809,22 @@ static const yyjson_read_flag YYJSON_READ_ALLOW_SINGLE_QUOTED_STR   = 1 << 12;
     non-whitespace character with code point above `U+007F`. */
 static const yyjson_read_flag YYJSON_READ_ALLOW_UNQUOTED_KEY        = 1 << 13;
 
+/** Replace invalid unicode code units with replacement character `U+FFFD`
+    when parsing string values (non-standard).
+    This flag implicitly enables `YYJSON_READ_ALLOW_INVALID_UNICODE` and
+    `YYJSON_READ_ALLOW_INVALID_SURROGATE`, so malformed input is tolerated
+    and replaced without needing those flags.
+    Note: when compiled with `YYJSON_DISABLE_UTF8_VALIDATION=ON`, invalid
+    UTF-8 byte sequences are not detected and therefore not replaced. */
+static const yyjson_read_flag YYJSON_READ_REPLACE_INVALID_UNICODE   = 1 << 14;
+
+/** Allow unpaired surrogate code units in `\uXXXX` escapes (non-standard).
+    Raw invalid UTF-8 bytes are unaffected; use
+    `YYJSON_READ_ALLOW_INVALID_UNICODE` for that. When combined with
+    `YYJSON_READ_REPLACE_INVALID_UNICODE`, the surrogates are replaced with
+    `U+FFFD`. */
+static const yyjson_read_flag YYJSON_READ_ALLOW_INVALID_SURROGATE   = 1 << 15;
+
 /** Allow JSON5 format, see: [https://json5.org].
     This flag supports all JSON5 features with some additional extensions:
     - Accepts more escape sequences than JSON5 (e.g. `\a`, `\e`).

lib/yyjson-0.12.0/test/test_string.c

@@ -1450,6 +1450,39 @@ static void test_unquoted_key(void) {
     }, YYJSON_READ_ALLOW_INVALID_UNICODE);
 }
 
+/*----------------------------------------------------------------------------*/
+/* MARK: - Invalid Unicode Flags                                               */
+/*----------------------------------------------------------------------------*/
+
+static void test_invalid_unicode_flags(void) {
+#if !YYJSON_DISABLE_READER
+    /* unpaired surrogate */
+    char inv_sur_hi[8 + YYJSON_PADDING_SIZE];
+    memcpy(inv_sur_hi, "\"\\uD83D\"", 8);
+    memset(inv_sur_hi + 8, 0, YYJSON_PADDING_SIZE);
+    yyjson_doc *doc = yyjson_read(inv_sur_hi, 8, 0);
+    yy_assert(!doc);
+
+    doc = yyjson_read(inv_sur_hi, 8, YYJSON_READ_ALLOW_INVALID_SURROGATE);
+    yy_assert(doc);
+    yyjson_val *val = yyjson_doc_get_root(doc);
+    const char *str = yyjson_get_str(val);
+    yy_assert(str && (u8)str[0] == 0xED && (u8)str[1] == 0xA0 &&
+              (u8)str[2] == 0xBD && str[3] == '\0');
+    yyjson_doc_free(doc);
+
+    doc = yyjson_read(inv_sur_hi, 8,
+                      YYJSON_READ_ALLOW_INVALID_SURROGATE |
+                      YYJSON_READ_REPLACE_INVALID_UNICODE);
+    yy_assert(doc);
+    val = yyjson_doc_get_root(doc);
+    str = yyjson_get_str(val);
+    yy_assert(str && (u8)str[0] == 0xEF && (u8)str[1] == 0xBF &&
+              (u8)str[2] == 0xBD && str[3] == '\0');
+    yyjson_doc_free(doc);
+#endif
+}
+
 
 
 /*==============================================================================
@@ -1460,5 +1493,6 @@ yy_test_case(test_string) {
     test_read_write();
     test_extended_escape();
     test_single_quoted_string();
+    test_invalid_unicode_flags();
     test_unquoted_key();
 }