Tighten bounds checks around TextEncoder logic

- Replaces unsafe code with safe code where possible
- Fixes some surrogate pairs being misinterpreted
- Fixes dotnet/runtime#45994
- Ref: MSRC 62749 (CVE-2021-26701)

Author: GrabYourPitchforks

NuGet.config

@@ -14,6 +14,8 @@
     <add key="dotnet3.1-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet3.1-transport/nuget/v3/index.json" />
     <add key="dotnet-public" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json" />
     <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" />
+    <!-- Harvesting feed from 2.1 -->
+    <add key="darc-int-corefx-2.1.26" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-corefx-2.1.26/nuget/v3/index.json" />
   </packageSources>
   <disabledPackageSources>
     <clear />

pkg/Microsoft.Private.PackageBaseline/packageIndex.json

@@ -5554,23 +5554,26 @@
         "4.3.1",
         "4.4.0",
         "4.5.0",
-        "4.6.0",
+        "4.5.1",
         "4.7.0",
-        "4.7.1"
+        "4.7.1",
+        "4.7.2"
       ],
-      "BaselineVersion": "4.7.1",
+      "BaselineVersion": "4.7.2",
       "InboxOn": {
         "netcoreapp3.0": "4.0.4.0",
-        "netcoreapp3.1": "4.0.5.0",
+        "netcoreapp3.1": "4.0.5.1",
         "uap10.0.16300": "4.0.5.0"
       },
       "AssemblyVersionInPackageVersion": {
         "4.0.0.0": "4.0.0",
         "4.0.1.0": "4.3.0",
         "4.0.2.0": "4.4.0",
         "4.0.3.0": "4.5.0",
+        "4.0.3.1": "4.5.1",
         "4.0.4.0": "4.6.0",
-        "4.0.5.0": "4.7.0"
+        "4.0.5.0": "4.7.0",
+        "4.0.5.1": "4.7.2"
       }
     },
     "System.Text.Json": {
@@ -6644,4 +6647,4 @@
       "System.Xml.XDocument"
     ]
   }
-}
+}

src/System.Text.Encodings.Web/Directory.Build.props

@@ -1,8 +1,8 @@
 <Project>
   <Import Project="..\Directory.Build.props" />
   <PropertyGroup>
-    <AssemblyVersion>4.0.5.0</AssemblyVersion>
-    <PackageVersion>4.7.1</PackageVersion>
+    <AssemblyVersion>4.0.5.1</AssemblyVersion>
+    <PackageVersion>4.7.2</PackageVersion>
     <StrongNameKeyId>Open</StrongNameKeyId>
     <IsNETCoreApp>true</IsNETCoreApp>
     <IsUAP>true</IsUAP>

src/System.Text.Encodings.Web/src/System.Text.Encodings.Web.csproj

@@ -6,6 +6,7 @@
     <Configurations>netstandard-Debug;netstandard-Release;netstandard2.1-Debug;netstandard2.1-Release;uap-Windows_NT-Debug;uap-Windows_NT-Release;net461-Debug;net461-Release;netfx-Debug;netfx-Release</Configurations>
   </PropertyGroup>
   <ItemGroup>
+    <Compile Include="System\IO\TextWriterExtensions.cs" />
     <Compile Include="System\Text\Encodings\Web\HexUtil.cs" />
     <Compile Include="System\Text\Encodings\Web\HtmlEncoder.cs" />
     <Compile Include="System\Text\Encodings\Web\JavaScriptEncoder.cs" />
@@ -27,6 +28,9 @@
     <Compile Include="$(CommonPath)\CoreLib\System\Text\UnicodeUtility.cs">
       <Link>System\Text\UnicodeUtility.cs</Link>
     </Compile>
+    <Compile Include="$(CommonPath)\CoreLib\System\Text\ValueStringBuilder.cs">
+      <Link>System\Text\ValueStringBuilder.cs</Link>
+    </Compile>
   </ItemGroup>
   <ItemGroup>
     <Reference Include="System.Memory" />
@@ -41,4 +45,7 @@
     <Reference Include="System.Runtime.Extensions" />
     <Reference Include="System.Threading" />
   </ItemGroup>
+  <ItemGroup Condition="'$(TargetGroup)' != 'netstandard2.1'">
+    <Reference Include="System.Buffers" />
+  </ItemGroup>
 </Project>

src/System.Text.Encodings.Web/src/System/IO/TextWriterExtensions.cs

@@ -0,0 +1,43 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+
+#if !(netcoreapp || netcoreapp30 || netstandard21)
+using System.Buffers;
+#endif
+
+namespace System.IO
+{
+    internal static class TextWriterExtensions
+    {
+        /// <summary>
+        /// Writes a partial string (given offset and count) to the underlying TextWriter.
+        /// </summary>
+        public static void WritePartialString(this TextWriter writer, string value, int offset, int count)
+        {
+            Debug.Assert(writer != null);
+            Debug.Assert(value != null);
+
+            if (offset == 0 && count == value.Length)
+            {
+                // on all platforms, prefer TextWriter.Write(string) if no slicing is required
+                writer.Write(value);
+            }
+            else
+            {
+                // if slicing is required, call TextWriter.Write(ROS<char>) if available;
+                // otherwise rent an array and implement the Write routine ourselves
+                ReadOnlySpan<char> sliced = value.AsSpan(offset, count);
+#if netcoreapp || netcoreapp30 || netstandard21
+                writer.Write(sliced);
+#else
+                char[] rented = ArrayPool<char>.Shared.Rent(sliced.Length);
+                sliced.CopyTo(rented);
+                writer.Write(rented, 0, sliced.Length);
+                ArrayPool<char>.Shared.Return(rented);
+#endif
+            }
+        }
+    }
+}