Bound non-null-terminated value scanners against end of input

Several JSON value scanners dereference *it without an end check, relying on
the trailing '\0' sentinel that only exists for null-terminated buffers. On a
non-null-terminated buffer (opts.null_terminated = false) there is no
sentinel, so truncated or boundary input reads one or more bytes past the end
(heap-buffer-overflow under ASAN). Each fix leaves the null-terminated fast
path byte-for-byte unchanged and bounds only the non-null-terminated path:

- skip_number (non-validating): gate the digit scan on it < end when not
  null-terminated (skip_number_opts gains a null_terminated field).
- skip_number_with_validation: guard each standalone *it read with it != end
  (the find_if_not scans were already end-bounded).
- number_of_array_elements: bound the element pre-scan loop on it == end.
- skip_string (non-padded, validating): bound the scan loop and the
  post-backslash read (skip_string_opts gains a null_terminated field).
- NDJSON read_new_lines: bound the inter-record newline scan on it != end.

Adds a non_null_terminated_scanner_bounds suite exercising each scanner at its
buffer boundary; these run under the ASAN CI job.

Author: stephenberry

include/glaze/json/ndjson.hpp

@@ -56,18 +56,38 @@ namespace glz
          auto value_it = value.begin();
 
          auto read_new_lines = [&] {
-            while (*it == '\r') {
-               ++it;
-               if (*it == '\n') {
+            // A null-terminated buffer stops on the trailing '\0' sentinel. A non-null-terminated
+            // buffer has no sentinel, so bound the scan on it != end while consuming the line
+            // breaks between records.
+            if constexpr (Opts.null_terminated) {
+               while (*it == '\r') {
                   ++it;
+                  if (*it == '\n') {
+                     ++it;
+                  }
+                  else {
+                     ctx.error = error_code::syntax_error; // Expected '\n' after '\r'
+                     return;
+                  }
                }
-               else {
-                  ctx.error = error_code::syntax_error; // Expected '\n' after '\r'
-                  return;
+               while (*it == '\n') {
+                  ++it;
                }
             }
-            while (*it == '\n') {
-               ++it;
+            else {
+               while (it != end && *it == '\r') {
+                  ++it;
+                  if (it != end && *it == '\n') {
+                     ++it;
+                  }
+                  else {
+                     ctx.error = error_code::syntax_error; // Expected '\n' after '\r'
+                     return;
+                  }
+               }
+               while (it != end && *it == '\n') {
+                  ++it;
+               }
             }
          };
 
@@ -126,18 +146,38 @@ namespace glz
          }();
 
          auto read_new_lines = [&] {
-            while (*it == '\r') {
-               ++it;
-               if (*it == '\n') {
+            // A null-terminated buffer stops on the trailing '\0' sentinel. A non-null-terminated
+            // buffer has no sentinel, so bound the scan on it != end while consuming the line
+            // breaks between records.
+            if constexpr (Opts.null_terminated) {
+               while (*it == '\r') {
                   ++it;
+                  if (*it == '\n') {
+                     ++it;
+                  }
+                  else {
+                     ctx.error = error_code::syntax_error; // Expected '\n' after '\r'
+                     return;
+                  }
                }
-               else {
-                  ctx.error = error_code::syntax_error; // Expected '\n' after '\r'
-                  return;
+               while (*it == '\n') {
+                  ++it;
                }
             }
-            while (*it == '\n') {
-               ++it;
+            else {
+               while (it != end && *it == '\r') {
+                  ++it;
+                  if (it != end && *it == '\n') {
+                     ++it;
+                  }
+                  else {
+                     ctx.error = error_code::syntax_error; // Expected '\n' after '\r'
+                     return;
+                  }
+               }
+               while (it != end && *it == '\n') {
+                  ++it;
+               }
             }
          };
 

include/glaze/json/read.hpp

@@ -2549,11 +2549,25 @@ namespace glz
       if (bool(ctx.error)) [[unlikely]]
          return {};
 
+      if constexpr (not Opts.null_terminated) {
+         if (it == end) [[unlikely]] {
+            ctx.error = error_code::unexpected_end;
+            return {};
+         }
+      }
       if (*it == ']') [[unlikely]] {
          return 0;
       }
       size_t count = 1;
       while (true) {
+         // A null-terminated buffer falls out through the '\0' case below; a non-null-terminated
+         // buffer has no sentinel, so bound the scan here before dereferencing.
+         if constexpr (not Opts.null_terminated) {
+            if (it == end) [[unlikely]] {
+               ctx.error = error_code::unexpected_end;
+               return {};
+            }
+         }
          switch (*it) {
          case ',': {
             ++count;

include/glaze/util/parse.hpp

@@ -745,18 +745,26 @@ namespace glz
       bool padded;
       bool opening_handled;
       bool validate_skipped;
+      bool null_terminated;
 
       // Convert from any opts-like type (consteval because check_* functions are consteval)
       template <typename T>
       consteval skip_string_opts(const T& opts) noexcept
          : padded{check_is_padded(opts)},
            opening_handled{check_opening_handled(opts)},
-           validate_skipped{check_validate_skipped(opts)}
+           validate_skipped{check_validate_skipped(opts)},
+           null_terminated{check_null_terminated(opts)}
       {}
 
-      // Direct construction - all values required
-      consteval skip_string_opts(bool padded_, bool opening_handled_, bool validate_skipped_) noexcept
-         : padded{padded_}, opening_handled{opening_handled_}, validate_skipped{validate_skipped_}
+      // Direct construction - null_terminated defaults to true for the structural (non-validating)
+      // skip_until_closed call sites, which route through the end-bounded skip_string_view path
+      // and so are independent of this flag.
+      consteval skip_string_opts(bool padded_, bool opening_handled_, bool validate_skipped_,
+                                 bool null_terminated_ = true) noexcept
+         : padded{padded_},
+           opening_handled{opening_handled_},
+           validate_skipped{validate_skipped_},
+           null_terminated{null_terminated_}
       {}
    };
 
@@ -863,6 +871,15 @@ namespace glz
 
       if constexpr (Opts.validate_skipped) {
          while (true) {
+            // A null-terminated buffer terminates on the trailing '\0' (caught by the control
+            // character check below); a non-null-terminated buffer has no sentinel, so bound the
+            // scan before each dereference.
+            if constexpr (not Opts.null_terminated) {
+               if (it == end) [[unlikely]] {
+                  ctx.error = error_code::unexpected_end;
+                  return;
+               }
+            }
             if ((*it & 0b11100000) == 0) [[unlikely]] {
                ctx.error = error_code::syntax_error;
                return;
@@ -875,6 +892,12 @@ namespace glz
             }
             case '\\': {
                ++it;
+               if constexpr (not Opts.null_terminated) {
+                  if (it == end) [[unlikely]] {
+                     ctx.error = error_code::unexpected_end;
+                     return;
+                  }
+               }
                if (char_unescape_table[uint8_t(*it)]) {
                   ++it;
                   continue;
@@ -1239,12 +1262,17 @@ namespace glz
 
    GLZ_ALWAYS_INLINE void skip_number_with_validation(is_context auto&& ctx, auto&& it, auto end) noexcept
    {
-      it += *it == '-';
+      // Every standalone *it read below is guarded by it != end so the scan stays inside the
+      // buffer for non-null-terminated input (the std::find_if_not calls are already bounded by
+      // end). A null-terminated buffer is unaffected: it reaches end only once the number is
+      // fully consumed, where these guards short-circuit exactly as the trailing '\0' sentinel
+      // would have.
+      it += (it != end) && (*it == '-');
       const auto sig_start_it = it;
       auto frac_start_it = end;
-      if (*it == '0') {
+      if (it != end && *it == '0') {
          ++it;
-         if (*it != '.') {
+         if (it == end || *it != '.') {
             return;
          }
          ++it;
@@ -1255,11 +1283,11 @@ namespace glz
          ctx.error = error_code::syntax_error;
          return;
       }
-      if ((*it | ('E' ^ 'e')) == 'e') {
+      if (it != end && (*it | ('E' ^ 'e')) == 'e') {
          ++it;
          goto exp_start;
       }
-      if (*it != '.') return;
+      if (it == end || *it != '.') return;
       ++it;
    frac_start:
       frac_start_it = it;
@@ -1268,10 +1296,10 @@ namespace glz
          ctx.error = error_code::syntax_error;
          return;
       }
-      if ((*it | ('E' ^ 'e')) != 'e') return;
+      if (it == end || (*it | ('E' ^ 'e')) != 'e') return;
       ++it;
    exp_start:
-      it += *it == '+' || *it == '-';
+      it += (it != end) && (*it == '+' || *it == '-');
       const auto exp_start_it = it;
       it = std::find_if_not(it, end, is_digit);
       if (it == exp_start_it) {
@@ -1284,22 +1312,34 @@ namespace glz
    struct skip_number_opts
    {
       bool validate;
+      bool null_terminated;
 
-      // Convert from any opts-like type (consteval because check_validate_skipped is consteval)
+      // Convert from any opts-like type (consteval because check_* functions are consteval)
       template <typename T>
-      consteval skip_number_opts(const T& opts) noexcept : validate{check_validate_skipped(opts)}
+      consteval skip_number_opts(const T& opts) noexcept
+         : validate{check_validate_skipped(opts)}, null_terminated{check_null_terminated(opts)}
       {}
 
       // Direct construction
-      explicit consteval skip_number_opts(bool validate_) noexcept : validate{validate_} {}
+      explicit consteval skip_number_opts(bool validate_, bool null_terminated_ = true) noexcept
+         : validate{validate_}, null_terminated{null_terminated_}
+      {}
    };
 
    template <skip_number_opts Opts>
    GLZ_ALWAYS_INLINE void skip_number(is_context auto&& ctx, auto&& it, auto end) noexcept
    {
       if constexpr (not Opts.validate) {
-         while (numeric_table[uint8_t(*it)]) {
-            ++it;
+         if constexpr (Opts.null_terminated) {
+            // Relies on the trailing '\0' sentinel (numeric_table['\0'] == false) to terminate.
+            while (numeric_table[uint8_t(*it)]) {
+               ++it;
+            }
+         }
+         else {
+            while (it < end && numeric_table[uint8_t(*it)]) {
+               ++it;
+            }
          }
       }
       else {

tests/json_test/json_test.cpp

@@ -2269,6 +2269,111 @@ suite early_end = [] {
    trace.end("early_end");
 };
 
+// Bounds hardening for value scanners that do not route through skip_ws. On a non-null-terminated
+// buffer there is no trailing '\0' sentinel, so each scanner below must respect end explicitly.
+// Built under ASAN in CI, these cases catch reads past an exact-size buffer.
+suite non_null_terminated_scanner_bounds = [] {
+   "nnt skip_number (raw_json) stays in bounds"_test = [] {
+      static constexpr glz::opts options{.null_terminated = false};
+      // Bare numbers that end exactly at the buffer end must parse without reading past it.
+      for (const std::string_view num : {"12345", "0", "3.14", "1e-12", "2.5E+9"}) {
+         std::vector<char> buf{num.begin(), num.end()};
+         const std::string_view view{buf.data(), buf.data() + buf.size()};
+         glz::raw_json value{};
+         const auto ec = glz::read<options>(value, view);
+         expect(not ec) << glz::format_error(ec, view);
+         expect(value.str == num);
+      }
+   };
+
+   "nnt number_of_array_elements stays in bounds"_test = [] {
+      static constexpr glz::opts options{.null_terminated = false};
+      // std::forward_list routes through the element pre-scan; truncated arrays must error rather
+      // than read past the end.
+      for (const std::string_view s : {"[1,2,3,4,5", "[1,2,", "[1", "["}) {
+         std::vector<char> buf{s.begin(), s.end()};
+         const std::string_view view{buf.data(), buf.data() + buf.size()};
+         std::forward_list<int> value{};
+         const auto ec = glz::read<options>(value, view);
+         expect(ec);
+         expect(ec.count <= view.size());
+      }
+      // A complete array still parses.
+      const std::string_view complete = "[1,2,3,4,5]";
+      std::vector<char> buf{complete.begin(), complete.end()};
+      const std::string_view view{buf.data(), buf.data() + buf.size()};
+      std::forward_list<int> value{};
+      const auto ec = glz::read<options>(value, view);
+      expect(not ec) << glz::format_error(ec, view);
+      expect(value == (std::forward_list<int>{1, 2, 3, 4, 5}));
+   };
+
+   "nnt validated number skip stays in bounds"_test = [] {
+      static constexpr glz::opts options{.null_terminated = false};
+      // The JSON-pointer path validates the located number; incomplete numbers must be rejected
+      // without scanning past the end, and complete numbers must still resolve.
+      const auto resolves = [](std::string_view s) {
+         std::vector<char> buf{s.begin(), s.end()};
+         return glz::get_view_json<"/x", options>(std::string_view{buf.data(), buf.data() + buf.size()}).has_value();
+      };
+      expect(not resolves(R"({"x":-)"));
+      expect(not resolves(R"({"x":1e)"));
+      expect(not resolves(R"({"x":1.)"));
+      expect(not resolves(R"({"x":1.5e)"));
+      expect(not resolves(R"({"x":1.5e+)"));
+      expect(resolves(R"({"x":0)"));
+      expect(resolves(R"({"x":12345)"));
+      expect(resolves(R"({"x":12345})"));
+   };
+
+   "nnt validated string skip stays in bounds"_test = [] {
+      static constexpr glz::opts options{.null_terminated = false};
+      // The validating skip path (here via a JSON pointer) must not scan past the end of an
+      // unterminated string value or a string truncated mid-escape.
+      const auto resolves = [](std::string_view s) {
+         std::vector<char> buf{s.begin(), s.end()};
+         return glz::get_view_json<"/x", options>(std::string_view{buf.data(), buf.data() + buf.size()}).has_value();
+      };
+      expect(not resolves(R"({"x":"abcdef)")); // no closing quote
+      expect(not resolves(R"({"x":"ab\)")); // trailing backslash at the end
+      expect(not resolves(R"({"x":"ab\u12)")); // truncated unicode escape
+      expect(resolves(R"({"x":"abc"})")); // complete string resolves
+   };
+
+   "nnt ndjson newline scan stays in bounds"_test = [] {
+      // Under null_terminated = false the record values use the end-bounded number parser and the
+      // inter-record newline scan is bounded too, so records with or without a trailing newline
+      // (and with '\r\n' line endings) stay inside the buffer.
+      static constexpr glz::opts options{.format = glz::NDJSON, .null_terminated = false};
+      const auto read_vec = [](std::string_view s) {
+         std::vector<char> buf{s.begin(), s.end()};
+         std::vector<int> value{};
+         const auto ec = glz::read<options>(value, std::string_view{buf.data(), buf.data() + buf.size()});
+         return std::pair{ec, value};
+      };
+      {
+         auto [ec, v] = read_vec("1");
+         expect(not ec);
+         expect(v == std::vector<int>{1});
+      }
+      {
+         auto [ec, v] = read_vec("1\n2\n");
+         expect(not ec);
+         expect(v == std::vector<int>{1, 2});
+      }
+      {
+         auto [ec, v] = read_vec("1\n2");
+         expect(not ec);
+         expect(v == std::vector<int>{1, 2});
+      }
+      {
+         auto [ec, v] = read_vec("1\r\n2\r\n");
+         expect(not ec);
+         expect(v == std::vector<int>{1, 2});
+      }
+   };
+};
+
 suite minified_custom_object = [] {
    using namespace ut;