--- CBOR-XS/XS.xs 2016/11/25 11:33:03 1.56 +++ CBOR-XS/XS.xs 2018/11/15 19:52:41 1.65 @@ -8,6 +8,7 @@ #include #include #include +#include #define ECB_NO_THREADS 1 #include "ecb.h" @@ -22,6 +23,9 @@ #ifndef HvNAMEUTF8 # define HvNAMEUTF8(hv) 0 #endif +#ifndef SvREFCNT_inc_NN +# define SvREFCNT_inc_NN(sv) SvREFCNT_inc (sv) +#endif #ifndef SvREFCNT_dec_NN # define SvREFCNT_dec_NN(sv) SvREFCNT_dec (sv) #endif @@ -101,10 +105,11 @@ #define F_ALLOW_UNKNOWN 0x00000002UL #define F_ALLOW_SHARING 0x00000004UL #define F_ALLOW_CYCLES 0x00000008UL -#define F_PACK_STRINGS 0x00000010UL -#define F_TEXT_KEYS 0x00000020UL -#define F_TEXT_STRINGS 0x00000040UL -#define F_VALIDATE_UTF8 0x00000080UL +#define F_FORBID_OBJECTS 0x00000010UL +#define F_PACK_STRINGS 0x00000020UL +#define F_TEXT_KEYS 0x00000040UL +#define F_TEXT_STRINGS 0x00000080UL +#define F_VALIDATE_UTF8 0x00000100UL #define INIT_SIZE 32 // initial scalar size to be allocated @@ -187,15 +192,11 @@ ecb_inline int minimum_string_length (UV idx) { - return idx > 23 - ? idx > 0xffU - ? idx > 0xffffU - ? idx > 0xffffffffU - ? 11 - : 7 - : 5 - : 4 - : 3; + return idx <= 23 ? 3 + : idx <= 0xffU ? 4 + : idx <= 0xffffU ? 5 + : idx <= 0xffffffffU ? 7 + : 11; } ///////////////////////////////////////////////////////////////////////////// @@ -218,7 +219,7 @@ ecb_inline void need (enc_t *enc, STRLEN len) { - if (ecb_expect_false (enc->cur + len >= enc->end)) + if (ecb_expect_false ((uintptr_t)(enc->end - enc->cur) < len)) { STRLEN cur = enc->cur - (char *)SvPVX (enc->sv); SvGROW (enc->sv, cur + (len < (cur >> 2) ? cur >> 2 : len) + 1); @@ -358,7 +359,7 @@ encode_uint (enc, MAJOR_ARRAY, len + 1); - if (SvMAGICAL (av)) + if (ecb_expect_false (SvMAGICAL (av))) for (i = 0; i <= len; ++i) { SV **svp = av_fetch (av, i, 0); @@ -387,7 +388,7 @@ int pairs = hv_iterinit (hv); int mg = SvMAGICAL (hv); - if (mg) + if (ecb_expect_false (mg)) encode_ch (enc, MAJOR_MAP | MINOR_INDEF); else encode_uint (enc, MAJOR_MAP, pairs); @@ -402,7 +403,7 @@ encode_sv (enc, ecb_expect_false (mg) ? hv_iterval (hv, he) : HeVAL (he)); } - if (mg) + if (ecb_expect_false (mg)) encode_ch (enc, MAJOR_MISC | MINOR_INDEF); --enc->depth; @@ -455,7 +456,7 @@ if (ecb_expect_false (SvREFCNT (sv) > 1) && ecb_expect_false (enc->cbor.flags & F_ALLOW_SHARING)) { - if (!enc->shareable) + if (ecb_expect_false (!enc->shareable)) enc->shareable = (HV *)sv_2mortal ((SV *)newHV ()); SV **svp = hv_fetch (enc->shareable, (char *)&sv, sizeof (sv), 1); @@ -479,7 +480,10 @@ HV *stash = SvSTASH (sv); GV *method; - if ((method = gv_fetchmethod_autoload (stash, "TO_CBOR", 0))) + if (enc->cbor.flags & F_FORBID_OBJECTS) + croak ("encountered object '%s', but forbid_objects is enabled", + SvPV_nolen (sv_2mortal (newRV_inc (sv)))); + else if ((method = gv_fetchmethod_autoload (stash, "TO_CBOR", 0))) { dSP; @@ -508,7 +512,6 @@ dSP; ENTER; SAVETMPS; - SAVESTACK_POS (); PUSHMARK (SP); EXTEND (SP, 2); // we re-bless the reference to get overload and other niceties right @@ -527,8 +530,14 @@ encode_uint (enc, MAJOR_ARRAY, count + 1); encode_strref (enc, 0, HvNAMEUTF8 (stash), HvNAME (stash), HvNAMELEN (stash)); - while (count) - encode_sv (enc, SP[1 - count--]); + { + int i; + + for (i = 0; i < count; ++i) + encode_sv (enc, SP[i + 1 - count]); + + SP -= count; + } PUTBACK; @@ -561,10 +570,10 @@ //TODO: maybe I32? else if (ecb_expect_false (nv == (float)nv)) { - uint32_t fp = ecb_float_to_binary32 (nv); - *enc->cur++ = MAJOR_MISC | MISC_FLOAT32; + uint32_t fp = ecb_float_to_binary32 (nv); + if (!ecb_big_endian ()) fp = ecb_bswap32 (fp); @@ -573,10 +582,10 @@ } else { - uint64_t fp = ecb_double_to_binary64 (nv); - *enc->cur++ = MAJOR_MISC | MISC_FLOAT64; + uint64_t fp = ecb_double_to_binary64 (nv); + if (!ecb_big_endian ()) fp = ecb_bswap64 (fp); @@ -623,10 +632,10 @@ { enc_t enc = { 0 }; - enc.cbor = *cbor; - enc.sv = sv_2mortal (NEWSV (0, INIT_SIZE)); - enc.cur = SvPVX (enc.sv); - enc.end = SvEND (enc.sv); + enc.cbor = *cbor; + enc.sv = sv_2mortal (NEWSV (0, INIT_SIZE)); + enc.cur = SvPVX (enc.sv); + enc.end = SvEND (enc.sv); SvPOK_only (enc.sv); @@ -663,11 +672,44 @@ AV *shareable; AV *stringref; SV *decode_tagged; + SV *err_sv; // optional sv for error, needs to be freed } dec_t; -#define ERR(reason) SB if (!dec->err) dec->err = reason; goto fail; SE +// set dec->err to ERRSV +ecb_cold static void +err_errsv (dec_t *dec) +{ + if (!dec->err) + { + dec->err_sv = newSVsv (ERRSV); -#define WANT(len) if (ecb_expect_false (dec->cur + len > dec->end)) ERR ("unexpected end of CBOR data") + // chop off the trailing \n + SvCUR_set (dec->err_sv, SvCUR (dec->err_sv) - 1); + *SvEND (dec->err_sv) = 0; + + dec->err = SvPVutf8_nolen (dec->err_sv); + } +} + +// the following functions are used to reduce code size and help the compiler to optimise +ecb_cold static void +err_set (dec_t *dec, const char *reason) +{ + if (!dec->err) + dec->err = reason; +} + +ecb_cold static void +err_unexpected_end (dec_t *dec) +{ + err_set (dec, "unexpected end of CBOR data"); +} + +#define ERR_DO(do) SB do; goto fail; SE +#define ERR(reason) ERR_DO (err_set (dec, reason)) +#define ERR_ERRSV ERR_DO (err_errsv (dec)) + +#define WANT(len) if (ecb_expect_false ((uintptr_t)(dec->end - dec->cur) < (STRLEN)len)) ERR_DO (err_unexpected_end (dec)) #define DEC_INC_DEPTH if (ecb_expect_false (++dec->depth > dec->cbor.max_depth)) ERR (ERR_NESTING_EXCEEDED) #define DEC_DEC_DEPTH --dec->depth @@ -745,7 +787,7 @@ { WANT (1); - if (*dec->cur == (MAJOR_MISC | MINOR_INDEF)) + if (*dec->cur == (MAJOR_MISC | MINOR_INDEF) || dec->err) { ++dec->cur; break; @@ -756,7 +798,7 @@ } else { - int i, len = decode_uint (dec); + UV i, len = decode_uint (dec); WANT (len); // complexity check for av_fill - need at least one byte per value, do not allow supersize arrays av_fill (av, len - 1); @@ -769,7 +811,7 @@ return newRV_noinc ((SV *)av); fail: - SvREFCNT_dec (av); + SvREFCNT_dec_NN (av); DEC_DEC_DEPTH; return &PL_sv_undef; } @@ -813,8 +855,36 @@ SV *k = decode_sv (dec); SV *v = decode_sv (dec); + // we leak memory if uncaught exceptions are thrown by random magical + // methods, and this is hopefully the only place where it can happen, + // so if there is a chance of an exception, take the very slow path. + // since catching exceptions is "undocumented/internal/forbidden" by + // the new p5p powers, we need to call out to a perl function :/ + if (ecb_expect_false (SvAMAGIC (k))) + { + dSP; + + ENTER; SAVETMPS; + PUSHMARK (SP); + EXTEND (SP, 3); + PUSHs (sv_2mortal (newRV_inc ((SV *)hv))); + PUSHs (sv_2mortal (k)); + PUSHs (sv_2mortal (v)); + + PUTBACK; + call_pv ("CBOR::XS::_hv_store", G_VOID | G_DISCARD | G_EVAL); + SPAGAIN; + + FREETMPS; LEAVE; + + if (SvTRUE (ERRSV)) + ERR_ERRSV; + + return; + } + hv_store_ent (hv, k, v, 0); - SvREFCNT_dec (k); + SvREFCNT_dec_NN (k); fail: ; @@ -835,7 +905,7 @@ { WANT (1); - if (*dec->cur == (MAJOR_MISC | MINOR_INDEF)) + if (*dec->cur == (MAJOR_MISC | MINOR_INDEF) || dec->err) { ++dec->cur; break; @@ -846,7 +916,9 @@ } else { - int pairs = decode_uint (dec); + UV pairs = decode_uint (dec); + + WANT (pairs); // complexity check - need at least one byte per value, do not allow supersize hashes while (pairs--) decode_he (dec, hv); @@ -856,7 +928,7 @@ return newRV_noinc ((SV *)hv); fail: - SvREFCNT_dec (hv); + SvREFCNT_dec_NN (hv); DEC_DEC_DEPTH; return &PL_sv_undef; } @@ -866,7 +938,7 @@ { SV *sv = 0; - if ((*dec->cur & MINOR_MASK) == MINOR_INDEF) + if (ecb_expect_false ((*dec->cur & MINOR_MASK) == MINOR_INDEF)) { // indefinite length strings ++dec->cur; @@ -944,7 +1016,7 @@ case CBOR_TAG_STRINGREF_NAMESPACE: { - // do nmot use SAVETMPS/FREETMPS, as these will + // do not use SAVETMPS/FREETMPS, as these will // erase mortalised caches, e.g. "shareable" ENTER; @@ -964,7 +1036,7 @@ UV idx = decode_uint (dec); - if (!dec->stringref || (int)idx > AvFILLp (dec->stringref)) + if (!dec->stringref || idx >= (UV)(1 + AvFILLp (dec->stringref))) ERR ("corrupted CBOR data (stringref index out of bounds or outside namespace)"); sv = newSVsv (AvARRAY (dec->stringref)[idx]); @@ -1002,7 +1074,7 @@ UV idx = decode_uint (dec); - if (!dec->shareable || (int)idx > AvFILLp (dec->shareable)) + if (!dec->shareable || idx >= (UV)(1 + AvFILLp (dec->shareable))) ERR ("corrupted CBOR data (sharedref index out of bounds)"); sv = SvREFCNT_inc_NN (AvARRAY (dec->shareable)[idx]); @@ -1014,6 +1086,9 @@ case CBOR_TAG_PERL_OBJECT: { + if (dec->cbor.flags & F_FORBID_OBJECTS) + goto filter; + sv = decode_sv (dec); if (!SvROK (sv) || SvTYPE (SvRV (sv)) != SVt_PVAV) @@ -1052,10 +1127,10 @@ if (SvTRUE (ERRSV)) { FREETMPS; LEAVE; - ERR (SvPVutf8_nolen (sv_2mortal (SvREFCNT_inc (ERRSV)))); + ERR_ERRSV; } - SvREFCNT_dec (sv); + SvREFCNT_dec_NN (sv); sv = SvREFCNT_inc (POPs); PUTBACK; @@ -1065,15 +1140,17 @@ break; default: + filter: { + SV *tag_sv = newSVuv (tag); + sv = decode_sv (dec); dSP; ENTER; SAVETMPS; - SAVESTACK_POS (); PUSHMARK (SP); EXTEND (SP, 2); - PUSHs (newSVuv (tag)); + PUSHs (tag_sv); PUSHs (sv); PUTBACK; @@ -1082,19 +1159,22 @@ if (SvTRUE (ERRSV)) { + SvREFCNT_dec_NN (tag_sv); FREETMPS; LEAVE; - ERR (SvPVutf8_nolen (sv_2mortal (SvREFCNT_inc (ERRSV)))); + ERR_ERRSV; } if (count) { - SvREFCNT_dec (sv); - sv = SvREFCNT_inc (POPs); + SvREFCNT_dec_NN (tag_sv); + SvREFCNT_dec_NN (sv); + sv = SvREFCNT_inc_NN (TOPs); + SP -= count; } else { AV *av = newAV (); - av_push (av, newSVuv (tag)); + av_push (av, tag_sv); av_push (av, sv); HV *tagged_stash = !CBOR_SLOW || cbor_tagged_stash @@ -1233,7 +1313,7 @@ { if (dec.shareable) { - // need to break cyclic links, which whould all be in shareable + // need to break cyclic links, which would all be in shareable int i; SV **svp; @@ -1242,7 +1322,11 @@ sv_setsv (*svp, &PL_sv_undef); } - SvREFCNT_dec (sv); + SvREFCNT_dec_NN (sv); + + if (dec.err_sv) + sv_2mortal (dec.err_sv); + croak ("%s, at offset %d (octet 0x%02x)", dec.err, dec.cur - (U8 *)data, (int)(uint8_t)*dec.cur); } @@ -1427,6 +1511,7 @@ allow_unknown = F_ALLOW_UNKNOWN allow_sharing = F_ALLOW_SHARING allow_cycles = F_ALLOW_CYCLES + forbid_objects = F_FORBID_OBJECTS pack_strings = F_PACK_STRINGS text_keys = F_TEXT_KEYS text_strings = F_TEXT_STRINGS @@ -1447,6 +1532,7 @@ get_allow_unknown = F_ALLOW_UNKNOWN get_allow_sharing = F_ALLOW_SHARING get_allow_cycles = F_ALLOW_CYCLES + get_forbid_objects = F_FORBID_OBJECTS get_pack_strings = F_PACK_STRINGS get_text_keys = F_TEXT_KEYS get_text_strings = F_TEXT_STRINGS @@ -1589,3 +1675,19 @@ XPUSHs (cborstr); } +#ifdef __AFL_COMPILER + +void +afl_init () + CODE: + __AFL_INIT (); + +int +afl_loop (unsigned int count = 10000) + CODE: + RETVAL = __AFL_LOOP (count); + OUTPUT: + RETVAL + +#endif +