guard iterator against end in stencilcount (#2623)

* guard iterator against end in stencilcount

* handle truncated stencilcount keys

* test stencilcount input boundaries

* make sized hash decoding bounds safe

* limit bounds checks to stencilcount

* guard CBOR object key hashing

---------

Co-authored-by: Stephen Berry <stephenberry.developer@gmail.com>

Author: uwezkhan

include/glaze/cbor/read.hpp

@@ -1395,7 +1395,9 @@ namespace glz
             if constexpr (N > 0) {
                static constexpr auto HashInfo = hash_info<T>;
 
-               const auto index = decode_hash_with_size<CBOR, T, HashInfo, HashInfo.type>::op(it, end, key_len);
+               const auto index = key_len < HashInfo.min_length || key_len > HashInfo.max_length
+                                     ? N
+                                     : decode_hash_with_size<CBOR, T, HashInfo, HashInfo.type>::op(it, end, key_len);
 
                if (index < N) [[likely]] {
                   const sv key{reinterpret_cast<const char*>(it), static_cast<size_t>(key_len)};

include/glaze/stencil/stencilcount.hpp

@@ -27,7 +27,7 @@ namespace glz
       }
       if (not bool(ctx.error)) [[likely]] {
          auto skip_whitespace = [&] {
-            while (whitespace_table[uint8_t(*it)]) {
+            while (it < end && whitespace_table[uint8_t(*it)]) {
                ++it;
             }
          };
@@ -40,12 +40,12 @@ namespace glz
             switch (*it) {
             case '{': {
                ++it;
-               if (*it == '{') {
+               if (it != end && *it == '{') {
                   ++it;
                   skip_whitespace();
 
                   uint64_t count{};
-                  while (*it == '+') {
+                  while (it != end && *it == '+') {
                      ++it;
                      ++count;
                   }
@@ -76,9 +76,9 @@ namespace glz
                      prev_count = count;
                   }
 
-                  if (*it == '}') {
+                  if (it != end && *it == '}') {
                      ++it;
-                     if (*it == '}') {
+                     if (it != end && *it == '}') {
                         ++it;
                         break;
                      }
@@ -93,15 +93,23 @@ namespace glz
                      ++it;
                   }
 
+                  if (it == end) {
+                     break;
+                  }
+
                   const sv key{start, size_t(it - start)};
 
                   skip_whitespace();
 
                   static constexpr auto N = reflect<T>::size;
                   static constexpr auto HashInfo = hash_info<T>;
 
-                  const auto index =
-                     decode_hash_with_size<STENCIL, T, HashInfo, HashInfo.type>::op(start, end, key.size());
+                  const auto index = [&] {
+                     if (key.size() < HashInfo.min_length || key.size() > HashInfo.max_length) {
+                        return N;
+                     }
+                     return decode_hash_with_size<STENCIL, T, HashInfo, HashInfo.type>::op(start, end, key.size());
+                  }();
 
                   if (index < N) [[likely]] {
                      std::string temp{};
@@ -137,9 +145,9 @@ namespace glz
 
                   skip_whitespace();
 
-                  if (*it == '}') {
+                  if (it != end && *it == '}') {
                      ++it;
-                     if (*it == '}') {
+                     if (it != end && *it == '}') {
                         ++it;
                         break;
                      }

tests/cbor_test/cbor_test.cpp

@@ -29,6 +29,22 @@ struct my_struct
    std::array<uint64_t, 3> arr = {1, 2, 3};
 };
 
+struct cbor_mod4_object
+{
+   int x{};
+   int y{};
+   int z{};
+};
+
+struct cbor_front_hash_object
+{
+   int aaaa{};
+   int aaab{};
+   int aaba{};
+   int aabb{};
+   int abaa{};
+};
+
 template <>
 struct glz::meta<my_struct>
 {
@@ -2258,6 +2274,26 @@ void past_fuzzing_issues()
 
 void error_tests()
 {
+   const auto read_exact = []<class T, size_t N>(const std::array<uint8_t, N>& input) {
+      auto buffer = std::make_unique_for_overwrite<char[]>(N);
+      std::copy_n(reinterpret_cast<const char*>(input.data()), N, buffer.get());
+      T value{};
+      return glz::read_cbor(value, std::string_view{buffer.get(), N});
+   };
+
+   "empty object key stays within the buffer"_test = [=] {
+      static_assert(glz::hash_info<cbor_mod4_object>.type == glz::hash_type::mod4);
+      constexpr std::array<uint8_t, 3> input{0xa1, 0x60, 0x00};
+      expect(read_exact.template operator()<cbor_mod4_object>(input).ec == glz::error_code::unknown_key);
+   };
+
+   "short front hash key stays within the buffer"_test = [=] {
+      static_assert(glz::hash_info<cbor_front_hash_object>.type == glz::hash_type::front_hash);
+      static_assert(glz::hash_info<cbor_front_hash_object>.front_hash_bytes == 4);
+      constexpr std::array<uint8_t, 4> input{0xa1, 0x61, 'a', 0x00};
+      expect(read_exact.template operator()<cbor_front_hash_object>(input).ec == glz::error_code::unknown_key);
+   };
+
    "truncated_input"_test = [] {
       std::string buffer;
       buffer.push_back(static_cast<char>(glz::cbor::initial_byte(glz::cbor::major::uint, 24)));

tests/stencil/stencil_test.cpp

@@ -663,6 +663,22 @@ suite mustache_list_template_tests = [] {
 
 #include "glaze/stencil/stencilcount.hpp"
 
+struct stencilcount_point
+{
+   int x{};
+   int y{};
+   int z{};
+};
+
+struct stencilcount_front_hash
+{
+   int aaaa{};
+   int aaab{};
+   int aaba{};
+   int aabb{};
+   int abaa{};
+};
+
 suite stencilcount_tests = [] {
    "basic docstencil"_test = [] {
       std::string_view layout = R"(# About
@@ -705,6 +721,49 @@ suite stencilcount_tests = [] {
 3.1.2 English
 )") << result;
    };
+
+   "truncated tags stay within the buffer"_test = [] {
+      static_assert(glz::hash_info<stencilcount_point>.type == glz::hash_type::mod4);
+
+      constexpr std::array cases{
+         std::pair<std::string_view, std::string_view>{"{{x}}", "42"},
+         std::pair<std::string_view, std::string_view>{"{{ x }}", "42"},
+         std::pair<std::string_view, std::string_view>{"{{\tx\t}}", "42"},
+         std::pair<std::string_view, std::string_view>{"{{+++}}", "0.0.1"},
+         std::pair<std::string_view, std::string_view>{"before {{x}} after", "before 42 after"},
+      };
+
+      const auto render_prefix = []<class T>(const std::string_view layout, const size_t size, T& value) {
+         auto buffer = std::make_unique_for_overwrite<char[]>(size);
+         std::copy_n(layout.data(), size, buffer.get());
+         return glz::stencilcount(std::string_view{buffer.get(), size}, value);
+      };
+
+      stencilcount_point point{.x = 42};
+      for (const auto& [layout, expected] : cases) {
+         for (size_t size = 1; size <= layout.size(); ++size) {
+            auto result = render_prefix(layout, size, point);
+            expect(result.has_value()) << layout << " prefix size " << size;
+            if (size == layout.size()) {
+               expect(result.value_or("") == expected) << layout;
+            }
+         }
+      }
+
+      static_assert(glz::hash_info<stencilcount_front_hash>.type == glz::hash_type::front_hash);
+      static_assert(glz::hash_info<stencilcount_front_hash>.front_hash_bytes == 4);
+
+      stencilcount_front_hash front_hash_value{.aaaa = 42};
+      for (const std::string_view layout : {"{{a}", "{{a}}", "{{a }", "{{aaaa}}"}) {
+         for (size_t size = 1; size <= layout.size(); ++size) {
+            auto result = render_prefix(layout, size, front_hash_value);
+            expect(result.has_value()) << layout << " prefix size " << size;
+            if (size == layout.size() && layout == "{{aaaa}}") {
+               expect(result.value_or("") == "42");
+            }
+         }
+      }
+   };
 };
 
 int main() { return 0; }