CDRIVER-5713 fix bson_utf8_escape_for_json crash (#1725)

joshbsiegel · web-flow · commit e5b9cdfe683e · 2024-09-17T09:27:58.000-04:00
* add tests

* add fuzz test

* apply fix

* fix docs

* correctly handle alternative NULL terminator

* addressing minor comments

* adding proper boundary tests

* refactor tests
diff --git a/src/libbson/doc/bson_utf8_escape_for_json.rst b/src/libbson/doc/bson_utf8_escape_for_json.rst
@@ -31,4 +31,4 @@ byte is found before ``utf8_len`` bytes, it is converted to
 Returns
 -------
 
-A newly allocated string that should be freed with :symbol:`bson_free()`.
+A newly allocated string that should be freed with :symbol:`bson_free()` when ``utf8`` is a valid UTF-8 string, or ``NULL`` if the (possibly invalid UTF-8) string could not be escaped.
diff --git a/src/libbson/doc/bson_utf8_get_char.rst b/src/libbson/doc/bson_utf8_get_char.rst
@@ -14,7 +14,7 @@ Synopsis
 Parameters
 ----------
 
-* ``utf8``: A UTF-8 encoded string.
+* ``utf8``: A validated UTF-8 encoded string.
 
 Description
 -----------
diff --git a/src/libbson/fuzz/CMakeLists.txt b/src/libbson/fuzz/CMakeLists.txt
@@ -7,3 +7,6 @@ target_link_libraries(fuzz_test_init_from_json PRIVATE fuzz_test_properties)
 
 add_executable(fuzz_test_validate EXCLUDE_FROM_ALL fuzz_test_validate.c)
 target_link_libraries(fuzz_test_validate PRIVATE fuzz_test_properties)
+
+add_executable(fuzz_test_bson_utf8_escape_for_json EXCLUDE_FROM_ALL fuzz_test_bson_utf8_escape_for_json.c)
+target_link_libraries(fuzz_test_bson_utf8_escape_for_json PRIVATE fuzz_test_properties)
diff --git a/src/libbson/fuzz/fuzz_test_bson_utf8_escape_for_json.c b/src/libbson/fuzz/fuzz_test_bson_utf8_escape_for_json.c
@@ -0,0 +1,21 @@
+#include <bson/bson.h>
+
+int
+LLVMFuzzerTestOneInput (const uint8_t *data, size_t size)
+{
+   // Reject inputs with lengths greater than ssize_t
+   if (bson_cmp_greater_us (size, SSIZE_MAX)) {
+      return -1;
+   }
+
+   // Check if input crashes program (ok if return NULL)
+   char *got = bson_utf8_escape_for_json ((const char *) data, (ssize_t) size);
+
+   // If UTF-8 is valid, we should get some non-null response
+   if (bson_utf8_validate ((const char *) data, size, true)) {
+      BSON_ASSERT (got);
+   }
+
+   bson_free (got);
+   return 0;
+}
diff --git a/src/libbson/src/bson/bson-utf8.c b/src/libbson/src/bson/bson-utf8.c
@@ -278,6 +278,15 @@ bson_utf8_escape_for_json (const char *utf8, /* IN */
    end = utf8 + utf8_len;
 
    while (utf8 < end) {
+      uint8_t mask;
+      uint8_t length_of_char;
+
+      // Check if expected char length goes past end
+      _bson_utf8_get_sequence (utf8, &length_of_char, &mask);
+      if (utf8 > end - length_of_char) {
+         goto invalid_utf8;
+      }
+
       c = bson_utf8_get_char (utf8);
 
       switch (c) {
@@ -313,18 +322,25 @@ bson_utf8_escape_for_json (const char *utf8, /* IN */
       if (c) {
          utf8 = bson_utf8_next_char (utf8);
       } else {
-         if (length_provided && !*utf8) {
-            /* we escaped nil as '\u0000', now advance past it */
-            utf8++;
+         if (length_provided) {
+            // Check if current character is null character,
+            // if so skip past it as we've already added '\\u0000' above
+            if (*utf8 == '\0' || (*utf8 == '\xc0' && *(utf8 + 1) == '\x80')) {
+               utf8 += (*utf8 == '\0') ? 1 : 2;
+            } else {
+               goto invalid_utf8;
+            }
          } else {
-            /* invalid UTF-8 */
-            bson_string_free (str, true);
-            return NULL;
+            goto invalid_utf8;
          }
       }
    }
 
    return bson_string_free (str, false);
+
+invalid_utf8:
+   bson_string_free (str, true);
+   return NULL;
 }
 
 
diff --git a/src/libbson/tests/test-utf8.c b/src/libbson/tests/test-utf8.c
@@ -63,24 +63,67 @@ test_bson_utf8_escape_for_json (void)
    char *unescaped = "\x0e";
 
    str = bson_utf8_escape_for_json ("my\0key", 6);
-   BSON_ASSERT (0 == memcmp (str, "my\\u0000key", 7));
+   ASSERT_CMPSTR (str, "my\\u0000key");
+   bson_free (str);
+
+   str = bson_utf8_escape_for_json ("my\xc0\x80key", 7);
+   ASSERT_CMPSTR (str, "my\\u0000key");
    bson_free (str);
 
    str = bson_utf8_escape_for_json ("my\"key", 6);
-   BSON_ASSERT (0 == memcmp (str, "my\\\"key", 8));
+   ASSERT_CMPSTR (str, "my\\\"key");
    bson_free (str);
 
    str = bson_utf8_escape_for_json ("my\\key", 6);
-   BSON_ASSERT (0 == memcmp (str, "my\\\\key", 8));
+   ASSERT_CMPSTR (str, "my\\\\key");
    bson_free (str);
 
    str = bson_utf8_escape_for_json ("\\\"\\\"", -1);
-   BSON_ASSERT (0 == memcmp (str, "\\\\\\\"\\\\\\\"", 9));
+   ASSERT_CMPSTR (str, "\\\\\\\"\\\\\\\"");
    bson_free (str);
 
    str = bson_utf8_escape_for_json (unescaped, -1);
-   BSON_ASSERT (0 == memcmp (str, "\\u000e", 7));
+   ASSERT_CMPSTR (str, "\\u000e");
    bson_free (str);
+
+   // 2 bytes expected
+   {
+      str = bson_utf8_escape_for_json ("\xc2", -1);
+      ASSERT (!str);
+
+      str = bson_utf8_escape_for_json ("\xc3\xa9", -1);
+      ASSERT_CMPSTR (str, "é");
+      bson_free (str);
+   }
+
+   // 3 bytes expected
+   {
+      str = bson_utf8_escape_for_json ("\xed", -1);
+      ASSERT (!str);
+
+      str = bson_utf8_escape_for_json ("\xed\x90", -1);
+      ASSERT (!str);
+
+      str = bson_utf8_escape_for_json ("\xe4\xb8\xad", -1);
+      ASSERT_CMPSTR (str, "中");
+      bson_free (str);
+   }
+
+   // 4 bytes expected
+   {
+      str = bson_utf8_escape_for_json ("\xf0", -1);
+      ASSERT (!str);
+
+      str = bson_utf8_escape_for_json ("\xf0\x9f", -1);
+      ASSERT (!str);
+
+      str = bson_utf8_escape_for_json ("\xf0\x9f\x9f", -1);
+      ASSERT (!str);
+
+      str = bson_utf8_escape_for_json ("\xf0\xa0\x9c\x8f", -1);
+      ASSERT_CMPSTR (str, "𠜏");
+      bson_free (str);
+   }
 }
 
 
