New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/json: Slice bounds out of range in json.Marshal #63379
Comments
A reproduction would be nice. As far as I can locally reason about the code,
|
I wonder if the bug (if one exists) is in |
I've walked it with debugger to create a reproducer https://go.dev/play/p/MLVjBpcNgbI |
Excellent reproduction, thank you! |
I'll create a CL |
Amazing! Thank you very much! |
stateEndTop did not return scanError which caused a panic inside of appendCompact if top-level value was followed by an escaped character. It was also a single place where return value of *scanner.error was not used. Fixes golang#63379
Change https://go.dev/cl/533275 mentions this issue: |
CL 469555 changed Compact to use append instead of bytes.Buffer. appendCompact iterates over input src slice and performs escaping of certain characters. To optimize copying it does not copy characters one by one but keeps track of the start offset of the data to copy when it reaches next character to escape or the end of the input. This start offset may become greater than input character offset so copying of preceding data should check this condition. CL 469555 removed boundary checks for copying data preceding escaped characters and this change restores them. Fixes golang#63379
What version of Go are you using (
go version
)?What operating system and processor architecture are you using (
go env
)?go env
OutputDescription
A fuzzer running on OSS-Fuzz ran into the following crash:
I am having some trouble reproducing it outside of OSS-Fuzz, however, it reproduces in OSS-Fuzz reliably. I hope the stack trace and other info provides enough context to locate the root cause.
The text was updated successfully, but these errors were encountered: