univalue: respect token end pointer #35281

pull ferminquant wants to merge 2 commits into bitcoin:master from ferminquant:fix-univalue-token-bounds changing 3 files +65 −9
  1. ferminquant commented at 2:25 PM on May 13, 2026: none

    Fixes #28260.

    Avoid reading past the supplied end pointer when matching JSON keywords and validating number prefixes.

    Also update the UniValue test and parse_univalue fuzz target to exercise bounded input.

  2. DrahtBot added the label RPC/REST/ZMQ on May 13, 2026
  3. DrahtBot commented at 2:25 PM on May 13, 2026: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--006a51241073e994b41acfe9ec718e94-->

    Code Coverage & Benchmarks

    For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/35281.

    <!--021abf342d371248e50ceaed478a90ca-->

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK carloantinarella

    If your review is incorrectly listed, please copy-paste <code>&lt;!--meta-tag:bot-skip--&gt;</code> into the comment that the bot should ignore.

    <!--5faf32d7da4f0f540f40219e4f7537a3-->

  4. ferminquant force-pushed on May 13, 2026
  5. ferminquant force-pushed on May 13, 2026
  6. in src/test/fuzz/parse_univalue.cpp:22 in e9a2bbe3ef 
      17 | @@ -18,7 +18,9 @@ void initialize_parse_univalue()
  18 |  
  19 |  FUZZ_TARGET(parse_univalue, .init = initialize_parse_univalue)
  20 |  {
  21 | -    const std::string random_string(buffer.begin(), buffer.end());
  22 | +    const char* const buffer_data{
  23 | +        buffer.empty() ? "" : reinterpret_cast<const char*>(buffer.data())};
    maflcko commented at 3:56 PM on May 13, 2026:

    why the ??

    ferminquant commented at 1:16 AM on May 14, 2026:

    You're right, it's not needed. I fixed it in a new commit.

  7. DrahtBot added the label CI failed on May 13, 2026
  8. DrahtBot commented at 4:06 PM on May 13, 2026: contributor

    <!--85328a0da195eb286784d51f73fa0af9-->

    🚧 At least one of the CI tasks failed. <sub>Task iwyu: https://github.com/bitcoin/bitcoin/actions/runs/25806359727/job/75815150297</sub> <sub>LLM reason (✨ experimental): CI failed because the IWYU (include-what-you-use) check flagged missing/wrong includes and intentionally returned non-zero exit status (“Failure generated from IWYU”).</sub>

    <details><summary>Hints</summary>

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

    </details>

  9. univalue: respect token end pointer db49f974fe
  10. ferminquant force-pushed on May 14, 2026
  11. DrahtBot removed the label CI failed on May 14, 2026
  12. DrahtBot added the label CI failed on May 21, 2026
  13. DrahtBot removed the label CI failed on May 21, 2026
  14. sedited requested review from maflcko on Jun 8, 2026
  15. in src/univalue/test/unitester.cpp:218 in db49f974fe outdated 
     213 | +    expect_json_token("false", /*size=*/5, JTOK_KW_FALSE, /*expected_consumed=*/5);
 214 | +
 215 | +    expect_json_token("-0", 1, JTOK_ERR);
 216 | +    expect_json_token("-x", 1, JTOK_ERR);
 217 | +    expect_json_token("01", /*size=*/1, JTOK_NUMBER, /*expected_consumed=*/1, "0");
 218 | +    expect_json_token("-01", /*size=*/2, JTOK_NUMBER, /*expected_consumed=*/2, "-0");
    carloantinarella commented at 4:58 PM on June 8, 2026:

    Would it be the case to add also few tests for fractions and exp numbers?

    ferminquant commented at 5:56 PM on June 9, 2026:

    Added in commit 28f609c7bb — eight tests covering fractions, exponents, and combined, using the same size/end-pointer pattern as the existing tests in this function.

  16. test: add end-pointer tests for fractions and exponents
    Cover getJsonToken() with bounded input for the fraction and
exponent number paths, as suggested in review.
    28f609c7bb
  17. carloantinarella commented at 8:01 PM on June 9, 2026: contributor

    tACK 28f609c7bb78c233356470b9399c35b3183563a6

    Thanks for the added tests. One comment: my suggestion is to squash the two commits into a single one, as they do not seem to represent different logical steps.

Contributors
ferminquantDrahtBotmaflckocarloantinarella


maflcko

Labels
RPC/REST/ZMQ
Linked (view graph)
#28260 getJsonToken assumes underlying string is null-terminated but requires end pointer
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-06-11 10:51 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me