Fix a couple error cases in Json parsing (#116446)

BrennanConroy · web-flow · commit e3c6605a1e67 · 2025-06-12T19:31:56.000-07:00
diff --git a/src/libraries/System.Text.Json/src/System/Text/Json/Reader/Utf8JsonReader.MultiSegment.cs b/src/libraries/System.Text.Json/src/System/Text/Json/Reader/Utf8JsonReader.MultiSegment.cs
@@ -548,7 +548,7 @@ private bool CheckLiteralMultiSegment(ReadOnlySpan<byte> span, ReadOnlySpan<byte
             {
                 _bytePositionInLine += FindMismatch(span, literal);
 
-                int amountToWrite = Math.Min(span.Length, (int)_bytePositionInLine + 1);
+                int amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
                 span.Slice(0, amountToWrite).CopyTo(readSoFar);
                 written += amountToWrite;
                 goto Throw;
@@ -558,7 +558,7 @@ private bool CheckLiteralMultiSegment(ReadOnlySpan<byte> span, ReadOnlySpan<byte
                 if (!literal.StartsWith(span))
                 {
                     _bytePositionInLine += FindMismatch(span, literal);
-                    int amountToWrite = Math.Min(span.Length, (int)_bytePositionInLine + 1);
+                    int amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
                     span.Slice(0, amountToWrite).CopyTo(readSoFar);
                     written += amountToWrite;
                     goto Throw;
@@ -605,7 +605,7 @@ private bool CheckLiteralMultiSegment(ReadOnlySpan<byte> span, ReadOnlySpan<byte
                     {
                         _bytePositionInLine += FindMismatch(span, leftToMatch);
 
-                        amountToWrite = Math.Min(span.Length, (int)_bytePositionInLine + 1);
+                        amountToWrite = AmountToWrite(span, _bytePositionInLine, readSoFar, written);
                         span.Slice(0, amountToWrite).CopyTo(readSoFar.Slice(written));
                         written += amountToWrite;
 
@@ -616,6 +616,13 @@ private bool CheckLiteralMultiSegment(ReadOnlySpan<byte> span, ReadOnlySpan<byte
                     alreadyMatched = span.Length;
                 }
             }
+
+            static int AmountToWrite(ReadOnlySpan<byte> span, long bytePositionInLine, ReadOnlySpan<byte> readSoFar, int written)
+            {
+                return Math.Min(
+                    readSoFar.Length - written,
+                    Math.Min(span.Length, (int)bytePositionInLine + 1));
+            }
         Throw:
             _totalConsumed = prevTotalConsumed;
             consumed = default;
diff --git a/src/libraries/System.Text.Json/src/System/Text/Json/Serialization/Converters/Value/DateOnlyConverter.cs b/src/libraries/System.Text.Json/src/System/Text/Json/Serialization/Converters/Value/DateOnlyConverter.cs
@@ -44,6 +44,13 @@ private static DateOnly ReadCore(ref Utf8JsonReader reader)
             {
                 Span<byte> stackSpan = stackalloc byte[MaxEscapedFormatLength];
                 int bytesWritten = reader.CopyString(stackSpan);
+
+                // CopyString can unescape which can change the length, so we need to perform the length check again.
+                if (bytesWritten < FormatLength)
+                {
+                    ThrowHelper.ThrowFormatException(DataType.DateOnly);
+                }
+
                 source = stackSpan.Slice(0, bytesWritten);
             }
 
diff --git a/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/JsonTestHelper.cs b/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/JsonTestHelper.cs
@@ -7,6 +7,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Globalization;
 using System.IO;
+using System.Linq;
 using System.Text.Json.Tests;
 using System.Text.RegularExpressions;
 using Newtonsoft.Json;
@@ -229,6 +230,11 @@ public static List<ReadOnlySequence<byte>> GetSequences(ReadOnlyMemory<byte> dat
             return sequences;
         }
 
+        public static ReadOnlySequence<byte> GetSequence(IEnumerable<byte[]> json)
+        {
+            return BufferFactory.Create(json.ToArray());
+        }
+
         internal static ReadOnlySequence<byte> SegmentInto(ReadOnlyMemory<byte> data, int segmentCount)
         {
             if (segmentCount < 2)
diff --git a/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Serialization/Value.ReadTests.cs b/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Serialization/Value.ReadTests.cs
@@ -650,6 +650,7 @@ public static void DateOnly_Read_Nullable_Tests()
         [InlineData("[]", false)]
         [InlineData("true", false)]
         [InlineData("null", false)]
+        [InlineData("05-1\\u0000", true)] // String length 10 before unescaping, less than 10 after escaping
         public static void DateOnly_Read_Failure(string json, bool addQuotes = true)
         {
             if (addQuotes)
diff --git a/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Utf8JsonReaderTests.MultiSegment.cs b/src/libraries/System.Text.Json/tests/System.Text.Json.Tests/Utf8JsonReaderTests.MultiSegment.cs
@@ -1633,6 +1633,40 @@ public static void ReadJsonTokenWithExtraValueMultiSegment(string jsonString)
             }
         }
 
+        [Fact]
+        public static void MultiSegmentInvalidLiteral()
+        {
+            // Tests edge case in Utf8JsonReader.CheckLiteralMultiSegment error handling
+            // when segment has invalid literal and more characters than stack-allocated span (5)
+            IEnumerable<byte[]> bytes = ["tr"u8.ToArray(), "uabcdef"u8.ToArray()];
+            ReadOnlySequence<byte> sequence = JsonTestHelper.GetSequence(bytes);
+
+            Utf8JsonReader reader = new Utf8JsonReader(sequence, isFinalBlock: true, state: default);
+
+            JsonTestHelper.AssertThrows<JsonException>(ref reader, (ref reader) =>
+            {
+                reader.Read();
+            });
+        }
+
+        [Fact]
+        public static void MultiSegmentInvalidLiteralInObject()
+        {
+            // Tests edge case in Utf8JsonReader.CheckLiteralMultiSegment error handling
+            // when segment has invalid literal after having done some prior reads (i.e. start of object and property name)
+            IEnumerable<byte[]> bytes = ["{\"foo\""u8.ToArray(), ":nul234"u8.ToArray()];
+            ReadOnlySequence<byte> sequence = JsonTestHelper.GetSequence(bytes);
+
+            Utf8JsonReader reader = new Utf8JsonReader(sequence, isFinalBlock: true, state: default);
+            Assert.True(reader.Read()); // StartObject
+            Assert.True(reader.Read()); // PropertyName
+
+            JsonTestHelper.AssertThrows<JsonException>(ref reader, (ref reader) =>
+            {
+                reader.Read();
+            });
+        }
+
         [Theory]
         [MemberData(nameof(JsonTokenWithExtraValueAndComments))]
         public static void ReadJsonTokenWithExtraValueAndCommentsMultiSegment(string jsonString)

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,13 @@ private static DateOnly ReadCore(ref Utf8JsonReader reader)`
`44`	`44`	`{`
`45`	`45`	`Span<byte> stackSpan = stackalloc byte[MaxEscapedFormatLength];`
`46`	`46`	`int bytesWritten = reader.CopyString(stackSpan);`
	`47`	`+`
	`48`	`+ // CopyString can unescape which can change the length, so we need to perform the length check again.`
	`49`	`+ if (bytesWritten < FormatLength)`
	`50`	`+ {`
	`51`	`+ ThrowHelper.ThrowFormatException(DataType.DateOnly);`
	`52`	`+ }`
	`53`	`+`
`47`	`54`	`source = stackSpan.Slice(0, bytesWritten);`
`48`	`55`	`}`
`49`	`56`
Original file line number	Diff line number	Diff line change
`@@ -650,6 +650,7 @@ public static void DateOnly_Read_Nullable_Tests()`
`650`	`650`	`[InlineData("[]", false)]`
`651`	`651`	`[InlineData("true", false)]`
`652`	`652`	`[InlineData("null", false)]`
	`653`	`+ [InlineData("05-1\\u0000", true)] // String length 10 before unescaping, less than 10 after escaping`
`653`	`654`	`public static void DateOnly_Read_Failure(string json, bool addQuotes = true)`
`654`	`655`	`{`
`655`	`656`	`if (addQuotes)`