fix(cbor): reject negative ints overflowing int64

thevilledev · thevilledev · commit a17996e42f46 · 2025-12-21T11:59:23.000+02:00
CBOR encodes negative integers as "-1 - n" where n is uint64_t. When
n &gt; INT64_MAX, casting to int64_t caused undefined behavior and silent
data corruption. Large negative values were incorrectly parsed as
positive integers (e.g., -9223372036854775809 became 9223372036854775807).

Add bounds check for to reject values that exceed int64_t
representable range, returning parse_error instead of silently
corrupting data.

Added regression test cases to verify.

Signed-off-by: Ville Vesilehto &lt;ville@vesilehto.fi&gt;
diff --git a/include/nlohmann/detail/input/binary_reader.hpp b/include/nlohmann/detail/input/binary_reader.hpp
@@ -533,8 +533,18 @@ class binary_reader
             case 0x3B: // Negative integer -1-n (eight-byte uint64_t follows)
             {
                 std::uint64_t number{};
-                return get_number(input_format_t::cbor, number) && sax->number_integer(static_cast<number_integer_t>(-1)
-                        - static_cast<number_integer_t>(number));
+                if (JSON_HEDLEY_UNLIKELY(!get_number(input_format_t::cbor, number)))
+                {
+                    return false;
+                }
+                const auto max_val = static_cast<std::uint64_t>((std::numeric_limits<number_integer_t>::max)());
+                if (number > max_val)
+                {
+                    return sax->parse_error(chars_read, get_token_string(),
+                                            parse_error::create(112, chars_read,
+                                                    exception_message(input_format_t::cbor, "negative integer overflow", "value"), nullptr));
+                }
+                return sax->number_integer(static_cast<number_integer_t>(-1) - static_cast<number_integer_t>(number));
             }
 
             // Binary data (0x00..0x17 bytes follow)
diff --git a/single_include/nlohmann/json.hpp b/single_include/nlohmann/json.hpp
@@ -10350,10 +10350,21 @@ class binary_reader
             case 0x37:
                 return sax->number_integer(static_cast<std::int8_t>(0x20 - 1 - current));
 
-            case 0x38: // Negative integer (one-byte uint8_t follows)
+            case 0x3B: // Negative integer -1-n (eight-byte uint64_t follows)
             {
-                std::uint8_t number{};
-                return get_number(input_format_t::cbor, number) && sax->number_integer(static_cast<number_integer_t>(-1) - number);
+                std::uint64_t number{};
+                if (JSON_HEDLEY_UNLIKELY(!get_number(input_format_t::cbor, number)))
+                {
+                    return false;
+                }
+                const auto max_val = static_cast<std::uint64_t>((std::numeric_limits<number_integer_t>::max)());
+                if (number > max_val)
+                {
+                    return sax->parse_error(chars_read, get_token_string(),
+                                            parse_error::create(112, chars_read,
+                                                    exception_message(input_format_t::cbor, "negative integer overflow", "value"), nullptr));
+                }
+                return sax->number_integer(static_cast<number_integer_t>(-1) - static_cast<number_integer_t>(number));
             }
 
             case 0x39: // Negative integer -1-n (two-byte uint16_t follows)
diff --git a/tests/src/unit-cbor.cpp b/tests/src/unit-cbor.cpp
@@ -1705,6 +1705,9 @@ TEST_CASE("CBOR")
             CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x1b, 0x00, 0x00, 0x00, 0x00, 0x00})), "[json.exception.parse_error.110] parse error at byte 7: syntax error while parsing CBOR number: unexpected end of input", json::parse_error&);
             CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x1b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00})), "[json.exception.parse_error.110] parse error at byte 8: syntax error while parsing CBOR number: unexpected end of input", json::parse_error&);
             CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x1b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00})), "[json.exception.parse_error.110] parse error at byte 9: syntax error while parsing CBOR number: unexpected end of input", json::parse_error&);
+            CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x3b})), "[json.exception.parse_error.110] parse error at byte 2: syntax error while parsing CBOR number: unexpected end of input", json::parse_error&);
+            CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x3b, 0x00})), "[json.exception.parse_error.110] parse error at byte 3: syntax error while parsing CBOR number: unexpected end of input", json::parse_error&);
+            CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x3b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00})), "[json.exception.parse_error.110] parse error at byte 9: syntax error while parsing CBOR number: unexpected end of input", json::parse_error&);
             CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x62})), "[json.exception.parse_error.110] parse error at byte 2: syntax error while parsing CBOR string: unexpected end of input", json::parse_error&);
             CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x62, 0x60})), "[json.exception.parse_error.110] parse error at byte 3: syntax error while parsing CBOR string: unexpected end of input", json::parse_error&);
             CHECK_THROWS_WITH_AS(_ = json::from_cbor(std::vector<uint8_t>({0x7F})), "[json.exception.parse_error.110] parse error at byte 2: syntax error while parsing CBOR string: unexpected end of input", json::parse_error&);
@@ -1733,6 +1736,9 @@ TEST_CASE("CBOR")
             CHECK(json::from_cbor(std::vector<uint8_t>({0x1b, 0x00, 0x00, 0x00, 0x00, 0x00}), true, false).is_discarded());
             CHECK(json::from_cbor(std::vector<uint8_t>({0x1b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}), true, false).is_discarded());
             CHECK(json::from_cbor(std::vector<uint8_t>({0x1b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}), true, false).is_discarded());
+            CHECK(json::from_cbor(std::vector<uint8_t>({0x3b}), true, false).is_discarded());
+            CHECK(json::from_cbor(std::vector<uint8_t>({0x3b, 0x00}), true, false).is_discarded());
+            CHECK(json::from_cbor(std::vector<uint8_t>({0x3b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}), true, false).is_discarded());
             CHECK(json::from_cbor(std::vector<uint8_t>({0x62}), true, false).is_discarded());
             CHECK(json::from_cbor(std::vector<uint8_t>({0x62, 0x60}), true, false).is_discarded());
             CHECK(json::from_cbor(std::vector<uint8_t>({0x7F}), true, false).is_discarded());
@@ -2681,6 +2687,49 @@ TEST_CASE("Tagged values")
         }
     }
 
+    SECTION("negative integer overflow")
+    {
+        // CBOR encodes negative integers as -1 - n, where n is uint64_t.
+        // When n > INT64_MAX, the result cannot be represented in int64_t.
+        // The library should reject such values with a parse error.
+
+        SECTION("n = INT64_MAX is valid (result = INT64_MIN)")
+        {
+            // n = 0x7FFFFFFFFFFFFFFF (INT64_MAX), result = -1 - INT64_MAX = INT64_MIN
+            const std::vector<uint8_t> v = {0x3B, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+            const auto j = json::from_cbor(v);
+            CHECK(j.is_number_integer());
+            CHECK(j.get<int64_t>() == (std::numeric_limits<int64_t>::min)());
+        }
+
+        SECTION("n = INT64_MAX + 1 causes overflow")
+        {
+            // n = 0x8000000000000000 (INT64_MAX + 1), result would be -9223372036854775809
+            const std::vector<uint8_t> v = {0x3B, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+            json _;
+            CHECK_THROWS_WITH_AS(_ = json::from_cbor(v),
+                                 "[json.exception.parse_error.112] parse error at byte 9: syntax error while parsing CBOR value: negative integer overflow",
+                                 json::parse_error);
+        }
+
+        SECTION("n = UINT64_MAX causes overflow")
+        {
+            // n = 0xFFFFFFFFFFFFFFFF (UINT64_MAX), result would be -18446744073709551616
+            const std::vector<uint8_t> v = {0x3B, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF};
+            json _;
+            CHECK_THROWS_WITH_AS(_ = json::from_cbor(v),
+                                 "[json.exception.parse_error.112] parse error at byte 9: syntax error while parsing CBOR value: negative integer overflow",
+                                 json::parse_error);
+        }
+
+        SECTION("overflow with allow_exceptions=false returns discarded")
+        {
+            const std::vector<uint8_t> v = {0x3B, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
+            const auto j = json::from_cbor(v, true, false);
+            CHECK(j.is_discarded());
+        }
+    }
+
     SECTION("tagged binary")
     {
         // create a binary value of subtype 42
