Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s239b-00H13J-71 for pgsql-hackers@arkaria.postgresql.org; Wed, 01 May 2024 06:09:19 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1s239X-00BKRR-0C for pgsql-hackers@arkaria.postgresql.org; Wed, 01 May 2024 06:09:15 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s239V-00BKR2-0D for pgsql-hackers@lists.postgresql.org; Wed, 01 May 2024 06:09:15 +0000 Received: from fhigh1-smtp.messagingengine.com ([103.168.172.152]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1s239R-000xta-Kv for pgsql-hackers@postgresql.org; Wed, 01 May 2024 06:09:13 +0000 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 0471411400F4; Wed, 1 May 2024 02:09:07 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 01 May 2024 02:09:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paquier.xyz; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1714543747; x=1714630147; bh=VzKQ0Ctmkv EE0cmVB3X79KZ8baITEOQjLXdbR2tiVlI=; b=XV4YrRow12n4ZtUSsiblJiNGN5 dn5MP8cGLCXqvI19cP3t3S3sqe0QiSDuIXhPxovxJ6ecSQmiUS40MEowISR95Qq+ JVffGKxXusxtXhCVx9gZSqRB4L1dG4lTsbrIEyQnEBLLRrKEWNhP9nTYVUPtz/dv 1zWfUnjCPN0J4C1Q+yMVINWQzwhfHFu636iNQdBAC6Hv5DCQUE3FB+mmqSavjO0/ BsxtyghyKjgsAtQ0DwHFw8sKfXCmAaKqQ4EpopTC9A59HfzyPj04fZ2cT2xd728l wgxTwpVyfiedLzbQy2HNC61I4cGv8LtIsoO8ehxEJQPU0/2f8PXC1UUPpnfQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; t=1714543747; x=1714630147; bh=VzKQ0CtmkvEE0cmVB3X79KZ8baIT EOQjLXdbR2tiVlI=; b=So9QPOox7B2ZhTJqPh9zmZXZxARo3pvIUs4q3582nRKU Q+aHM31mhXiL+3mghutJ1OEAf7D5o9MPChKnsMoyJhNKL+nW/edgVhNJ7gQ6/cj+ PZwemXwF3VSBebTG9q7yBKPKcwhhECdYyQMRoo6q2siS5XIrRJ68vs9bTxWoHVls B/iVa/zyHik9x9CmwryYU2PSsh+W544wEG847irD8byUcLjxE+yEDoa9j8/fsZAf IZgG1QEFIwpGz5q5599TR14+8kkl/XB2Ds6QwSIaTPAye1aOxSGnz/23/iqPHae0 QYIjP9p1urJBdCR8+aEdyIURHC9Ccf+tHDNmAIpYNQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrvdduhedgfeejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdljedtmdenucfjughrpeffhffvvefukfhfgggtuggjsehgtderredt tddvnecuhfhrohhmpefoihgthhgrvghlucfrrghquhhivghruceomhhitghhrggvlhesph grqhhuihgvrhdrgiihiieqnecuggftrfgrthhtvghrnhepteelieefudffhffhtdetleeg geegfffhkeeuveetiefgudduvedutefggeeivdejnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepmhhitghhrggvlhesphgrqhhuihgvrhdrgiih ii X-ME-Proxy: Feedback-ID: i0fe9450f:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 1 May 2024 02:09:04 -0400 (EDT) Date: Wed, 1 May 2024 15:08:45 +0900 From: Michael Paquier To: Jacob Champion Cc: PostgreSQL Hackers , Andrew Dunstan Subject: Re: [PATCH] json_lex_string: don't overread on bad UTF8 Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="UO8EvQN97bzRo6RY" Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --UO8EvQN97bzRo6RY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 30, 2024 at 10:39:04AM -0700, Jacob Champion wrote: > When json_lex_string() hits certain types of invalid input, it calls > pg_encoding_mblen_bounded(), which assumes that its input is > null-terminated and calls strnlen(). But the JSON lexer is constructed > with an explicit string length, and we don't ensure that the string is > null-terminated in all cases, so we can walk off the end of the > buffer. This isn't really relevant on the server side, where you'd > have to get a superuser to help you break string encodings, but for > client-side usage on untrusted input (such as my OAuth patch) it would > be more important. Not sure to like much the fact that this advances token_terminator first. Wouldn't it be better to calculate pg_encoding_mblen() first, then save token_terminator? I feel a bit uneasy about saving a value in token_terminator past the end of the string. That a nit in this context, still.. > Attached is a draft patch that explicitly checks against the > end-of-string pointer and clamps the token_terminator to it. Note that > this removes the only caller of pg_encoding_mblen_bounded() and I'm > not sure what we should do with that function. It seems like a > reasonable API, just not here. Hmm. Keeping it around as currently designed means that it could cause more harm than anything in the long term, even in the stable branches if new code uses it. There is a risk of seeing this new code incorrectly using it again, even if its top comment tells that we rely on the string being nul-terminated. A safer alternative would be to redesign it so as the length of the string is provided in input, removing the dependency of strlen in its internals, perhaps. Anyway, without any callers of it, I'd be tempted to wipe it from HEAD and call it a day. > The new test needs to record two versions of the error message, one > for invalid token and one for invalid escape sequence. This is > because, for smaller chunk sizes, the partial-token logic in the > incremental JSON parser skips the affected code entirely when it can't > find an ending double-quote. Ah, that makes sense. That looks OK here. A comment around the test would be adapted to document that, I guess. =20 > Tangentially: Should we maybe rethink pieces of the json_lex_string > error handling? For example, do we really want to echo an incomplete > multibyte sequence once we know it's bad? It also looks like there are > places where the FAIL_AT_CHAR_END macro is called after the `s` > pointer has already advanced past the code point of interest. I'm not > sure if that's intentional. Advancing the tracking pointer 's' before reporting an error related the end of the string is a bad practive, IMO, and we should avoid that. json_lex_string() does not offer a warm feeling regarding that with escape characters, at least :/ -- Michael --UO8EvQN97bzRo6RY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmYx3G0ACgkQnvQgOdby QH3HihAAkMj5DzAmIRl4LV1yPCyXTzOl6xGBdMEqrnP4xo1VgnRdSYnRYqq2HVpV v0qduqIeJstKK2Cn+jBzdCD1xder+RSkhIEqLf4JplMdi0vx3szIgLRdg45vzcaV pMn23AXPEz6Rlw1epQ4b3H34isW3R8ornoF/05Bn85cNDgjRbuM01TN4kLHASBL1 FTARf4ZDmVqDwdMGQqg7ZRw8hWVesevRK0TPockznkXBEkvV2efkFB04R2yZAY2v 4jEY+o5AAjDq8bW5D9FDdCsywxkifLUMB+HkYap4921mGktTL6nOJ0EozXBgdZF8 IEWocTjmifFJ+FeID2kq+A4AesXlhKkaRk2tjShYupQFcof36W2vMljuR6xWdPLU bR3h7iFmmJEgNu5N+LAEKTqFjUzcwSEo0DJ4uclPUs+auaeplWa930+KXvYnlIqH AbPAJMtgObsmv8I2v4nrlEFgLbvT2W1iKQ/swne+jDGnpc6+L2PwZiMuV159ALsN eGl25OFCyQlNWsBBUdkCGPiXZAQgMnhfh7TQB8HCJX8SuqHe7cpR1sgSvaExAjBc 3djL7Lwr2hqzoNCUGR/0Og0+5bxESNvX/ncjSZtD/mWvWOdhPw9kHmd5VXL2yPv1 ijvi60BPwiOwxcmtj9kB879JR6b+Z5PGt9mNlfFMA5K9JMO/qTE= =OtQ1 -----END PGP SIGNATURE----- --UO8EvQN97bzRo6RY--