guard eetf_to_json reads against end of input (#2659)

* guard eetf_to_json sequence and version reads against end

* Read eetf tail/key tags directly to avoid ei_get_type over-read

The list-tail and map-key guards added in this branch only prove one byte (the
tag) is present, but get_type -> ei_get_type then reads a 2-4 byte length header
off the raw pointer for header-bearing tags, over-reading past end when the tag
is the final byte (verified with a guard page: SIGSEGV on a truncated improper
tail or map key). Read the tag with a single-byte peek instead: a proper list
tail only accepts ERL_NIL_EXT, and is_string/is_atom classify the raw map-key
tag while term_to_json_value re-reads and bounds-checks the full key.

Also fix decode_number casting the scratch value through the forwarding-reference
type T instead of the decayed value type V; static_cast<T> forms a reference cast
that fails to compile where int64_t is long long while long is the same width
(macOS/LLP64). Matches the existing float branch.

Add regression tests: empty buffer -> no_read_input; truncated map header and
truncated key tag -> unexpected_end; list missing its NIL tail -> unexpected_end
(with a valid-list counterpart); improper list tail -> array_element_not_found.

---------

Co-authored-by: Stephen Berry <stephenberry.developer@gmail.com>

Author: uwezkhan

include/glaze/eetf/eetf_to_json.hpp

@@ -156,10 +156,18 @@ namespace glz
                return;
             }
             write_sequence(arity, idx, ctx, it, end, out, ix, recursive_depth + 1);
+            if (bool(ctx.error)) [[unlikely]] {
+               return;
+            }
 
             // handle tail
-            const auto tag = get_type(ctx, it);
-            if (tag != ERL_NIL_EXT) {
+            if (invalid_end(ctx, it, end)) [[unlikely]] {
+               return;
+            }
+            // A proper list terminates with ERL_NIL_EXT, a single tag byte. Read that tag directly
+            // rather than through get_type/ei_get_type, which reads a 2-4 byte length header off the
+            // raw pointer (past end when the tail tag is the final byte) for any other term type.
+            if (uint8_t(*it) != ERL_NIL_EXT) {
                ctx.error = error_code::array_element_not_found;
                return;
             }
@@ -199,7 +207,15 @@ namespace glz
 
             while (arity--) {
                // write key
-               const auto key_type = get_type(ctx, it);
+               if (invalid_end(ctx, it, end)) [[unlikely]] {
+                  return;
+               }
+               // Read the key tag directly rather than through get_type/ei_get_type, which reads a
+               // 2-4 byte length header off the raw pointer (past end when the tag is the final byte).
+               // is_string/is_atom accept the raw, un-normalized tag, and term_to_json_value re-reads
+               // and bounds-checks the full key below. Widen to int so the tag clears the int_t
+               // constraint on is_string/is_atom (uint8_t is a char type and would be rejected).
+               const int key_type = uint8_t(*it);
                // support only string or atom keys in json
                if (!eetf::is_string(key_type) && !eetf::is_atom(key_type)) {
                   ctx.error = error_code::syntax_error;
@@ -254,6 +270,9 @@ namespace glz
 
       // Check format version
       if constexpr (not check_no_header(Opts)) {
+         if (it == end) [[unlikely]] {
+            return {0, error_code::no_read_input};
+         }
          const auto version = decode_version(ctx, it);
          if (eetf_magic_version != version) {
             return {0, error_code::version_mismatch};

include/glaze/eetf/ei.hpp

@@ -117,6 +117,10 @@ namespace glz
    GLZ_ALWAYS_INLINE void decode_number(T&& value, Args&&... args) noexcept
    {
       using V = std::remove_cvref_t<T>;
+      // Cast the scratch value through V (the decayed value type), never T. T is a forwarding
+      // reference, so static_cast<T>(v) forms a reference cast that fails to compile when the
+      // scratch type (long / long long) is a distinct type of the same width as V -- e.g. on
+      // platforms where int64_t is long long while long is also 64-bit (macOS/LLP64-style).
       if constexpr (std::floating_point<std::remove_cvref_t<T>>) {
          double v;
          detail::decode_impl([&](const char* buf, int* index) { return ei_decode_double(buf, index, &v); },
@@ -129,27 +133,27 @@ namespace glz
                long long v;
                detail::decode_impl([&](const char* buf, int* index) { return ei_decode_longlong(buf, index, &v); },
                                    std::forward<Args>(args)...);
-               value = static_cast<T>(v);
+               value = static_cast<V>(v);
             }
             else {
                unsigned long long v;
                detail::decode_impl([&](const char* buf, int* index) { return ei_decode_ulonglong(buf, index, &v); },
                                    std::forward<Args>(args)...);
-               value = static_cast<T>(v);
+               value = static_cast<V>(v);
             }
          }
          else {
             if constexpr (std::is_signed_v<V>) {
                long v;
                detail::decode_impl([&](const char* buf, int* index) { return ei_decode_long(buf, index, &v); },
                                    std::forward<Args>(args)...);
-               value = static_cast<T>(v);
+               value = static_cast<V>(v);
             }
             else {
                unsigned long v;
                detail::decode_impl([&](const char* buf, int* index) { return ei_decode_ulong(buf, index, &v); },
                                    std::forward<Args>(args)...);
-               value = static_cast<T>(v);
+               value = static_cast<V>(v);
             }
          }
       }

tests/eetf_test/eetf_test.cpp

@@ -455,6 +455,74 @@ suite eetf_to_json_tests = [] {
       expect_unexpected_end(partial_digits);
    };
 
+   "eetf_to_json empty buffer"_test = [] {
+      // No version byte at all: the entry guard rejects before decode_version reads the tag.
+      const std::string buffer{};
+      std::string json{};
+      const auto ec = glz::eetf_to_json(buffer, json);
+      expect(ec.ec == glz::error_code::no_read_input);
+   };
+
+   "eetf_to_json truncated map"_test = [] {
+      auto expect_unexpected_end = [](const auto& buffer) {
+         std::string json{};
+         const auto ec = glz::eetf_to_json(buffer, json);
+         expect(ec.ec == glz::error_code::unexpected_end);
+      };
+
+      // ERL_MAP_EXT declares arity 1 but the buffer ends before any key/value entry.
+      const std::array<std::uint8_t, 6> missing_entries{
+         uint8_t(glz::eetf_magic_version), uint8_t(ERL_MAP_EXT), 0, 0, 0, 1};
+      // ERL_MAP_EXT arity 1 with a key tag (ERL_ATOM_EXT) as the final byte: the tag must be
+      // classified without ei_get_type reading its 2-byte length header past the end.
+      const std::array<std::uint8_t, 7> truncated_key{
+         uint8_t(glz::eetf_magic_version), uint8_t(ERL_MAP_EXT), 0, 0, 0, 1, uint8_t(ERL_ATOM_EXT)};
+
+      expect_unexpected_end(missing_entries);
+      expect_unexpected_end(truncated_key);
+   };
+
+   "eetf_to_json list missing tail"_test = [] {
+      // ERL_LIST_EXT, one element (small integer 5), but the ERL_NIL_EXT tail is missing.
+      const std::array<std::uint8_t, 8> missing_tail{
+         uint8_t(glz::eetf_magic_version), uint8_t(ERL_LIST_EXT), 0, 0, 0, 1, uint8_t(ERL_SMALL_INTEGER_EXT), 5};
+      std::string json{};
+      const auto ec = glz::eetf_to_json(missing_tail, json);
+      expect(ec.ec == glz::error_code::unexpected_end);
+
+      // The same list with the NIL tail present parses cleanly: the tail guard must not reject it.
+      const std::array<std::uint8_t, 9> with_tail{uint8_t(glz::eetf_magic_version),
+                                                  uint8_t(ERL_LIST_EXT),
+                                                  0,
+                                                  0,
+                                                  0,
+                                                  1,
+                                                  uint8_t(ERL_SMALL_INTEGER_EXT),
+                                                  5,
+                                                  uint8_t(ERL_NIL_EXT)};
+      json.clear();
+      expect(!glz::eetf_to_json(with_tail, json));
+      expect(json == "[5]") << json;
+   };
+
+   "eetf_to_json list improper tail"_test = [] {
+      // ERL_LIST_EXT with one element and a non-NIL tail tag (ERL_MAP_EXT) as the final byte. The
+      // tail must be classified from its single tag byte without ei_get_type reading the 4-byte
+      // length header past the end of the buffer.
+      const std::array<std::uint8_t, 9> buffer{uint8_t(glz::eetf_magic_version),
+                                               uint8_t(ERL_LIST_EXT),
+                                               0,
+                                               0,
+                                               0,
+                                               1,
+                                               uint8_t(ERL_SMALL_INTEGER_EXT),
+                                               5,
+                                               uint8_t(ERL_MAP_EXT)};
+      std::string json{};
+      const auto ec = glz::eetf_to_json(buffer, json);
+      expect(ec.ec == glz::error_code::array_element_not_found);
+   };
+
    "eetf_to_json no header"_test = [] {
       constexpr int items = 3;
       std::vector<simple> v;