Skip to content

Commit

Permalink
folly: utf8ToCodePoint: enforce max valid code point is U+10FFFF - re…
Browse files Browse the repository at this point in the history
…turn U+FFFD / throw for well-formed UTF-8 encoded values that are larger than the max code point

Summary:
UTF-8 can encode large numbers, but Unicode code points are only defined up to `U+10FFFF`.

For example:
- the 4B UTF-8 encoding `"\xF6\x8D\x9B\ xBC"` (bits: `11110110 10001101 10011011 10111100`) is a valid UTF-8 encoding
- but the encoded value is `U+18D6 (https://github.com/facebook/folly/commit/d40182262d41679cab28f6be7366cc5ff901683b)FC` which is larger than `U+10FFFF`

With `opts.skip_invalid_utf8 = true;` `json::serialize` should have returned `"\ufffd"` since it the input is invalid, but due to a bug in `utf8ToCodePoint` it returned the incorrect `"\"\xF6\x8D\x9B\xBC\""`.

Update `utf8ToCodePoint` to also reject 4 byte UTF-8 encoded values larger than the max Unicode code point (`U+10FFFF`).

Reviewed By: luciang

Differential Revision: D25275722

fbshipit-source-id: e7daeea834a0c5323923a5451a2565ceff5e4734
  • Loading branch information
Xiayi Sun authored and facebook-github-bot committed Dec 4, 2020
1 parent 67f20f2 commit ae03ef8
Show file tree
Hide file tree
Showing 3 changed files with 55 additions and 12 deletions.
55 changes: 43 additions & 12 deletions folly/Unicode.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -53,15 +53,30 @@ char32_t utf8ToCodePoint(
const unsigned char*& p,
const unsigned char* const e,
bool skipOnError) {
/* The following encodings are valid, except for the 5 and 6 byte
* combinations:
* 0xxxxxxx
* 110xxxxx 10xxxxxx
* 1110xxxx 10xxxxxx 10xxxxxx
* 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
* 111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
* 1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
*/
// clang-format off
/** UTF encodings
* | # of B | First CP | Last CP | Bit Pattern
* | 1 | 0x0000 | 0x007F | 0xxxxxxx
* | 2 | 0x0080 | 0x07FF | 110xxxxx 10xxxxxx
* | 3 | 0x0800 | 0xFFFF | 1110xxxx 10xxxxxx 10xxxxxx
* | 4 | 0x10000 | 0x10FFFF | 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
* | 5 | - | - | 111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
* | 6 | - | - | 1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx
*
*
* NOTE:
* - the 4B encoding can encode values up to 0x1FFFFF,
* but Unicode defines 0x10FFFF to be the largest code point
* - the 5B & 6B encodings will all encode values larger than 0x1FFFFF
* (so larger than the largest code point value 0x10FFFF) so they form invalid
* unicode code points
*
* On invalid input (invalid encoding or code points larger than 0x10FFFF):
* - When skipOnError is true, this function will skip the first byte and return
* U'\ufffd'. Potential optimization: skip the whole invalid range.
* - When skipOnError is false, throws.
*/
// clang-format on

const auto skip = [&] {
++p;
Expand All @@ -77,7 +92,7 @@ char32_t utf8ToCodePoint(

unsigned char fst = *p;
if (!(fst & 0x80)) {
// trivial case
// trivial case, 1 byte encoding
return *p++;
}

Expand All @@ -91,6 +106,7 @@ char32_t utf8ToCodePoint(
// upper control bits are masked out later
uint32_t d = fst;

// multi-byte encoded values must start with bits 0b11. 0xC0 is 0b11000000
if ((fst & 0xC0) != 0xC0) {
if (skipOnError) {
return skip();
Expand All @@ -104,6 +120,7 @@ char32_t utf8ToCodePoint(
for (unsigned int i = 1; i != 4 && p + i < e; ++i) {
const unsigned char tmp = p[i];

// from the second byte on, format should be 10xxxxxx
if ((tmp & 0xC0) != 0x80) {
if (skipOnError) {
return skip();
Expand All @@ -112,11 +129,15 @@ char32_t utf8ToCodePoint(
"folly::utf8ToCodePoint i=", i, " tmp=", (uint32_t)tmp));
}

// gradually fill a 32 bit integer d with non control bits in tmp
// 0x3F is 0b00111111 which clears out the first 2 control bits
d = (d << 6) | (tmp & 0x3F);
fst <<= 1;

if (!(fst & 0x80)) {
d &= bitMask[i];
// We know the length of encoding now, since we encounter the first "0" in
// fst (the first byte). This branch processes the last byte of encoding.
d &= bitMask[i]; // d is now the code point

// overlong, could have been encoded with i bytes
if ((d & ~bitMask[i - 1]) == 0) {
Expand All @@ -129,7 +150,7 @@ char32_t utf8ToCodePoint(

// check for surrogates only needed for 3 bytes
if (i == 2) {
if ((d >= 0xD800 && d <= 0xDFFF) || d > 0x10FFFF) {
if (d >= 0xD800 && d <= 0xDFFF) {
if (skipOnError) {
return skip();
}
Expand All @@ -138,6 +159,16 @@ char32_t utf8ToCodePoint(
}
}

// While UTF-8 encoding can encode arbitrary numbers, 0x10FFFF is the
// largest defined Unicode code point.
// Only >=4 bytes can UTF-8 encode such values, so i=3 here.
if (d > 0x10FFFF) {
if (skipOnError) {
return skip();
}
throw std::runtime_error(
"folly::utf8ToCodePoint encoding exceeds max unicode code point");
}
p += i + 1;
return d;
}
Expand Down
8 changes: 8 additions & 0 deletions folly/test/JsonTest.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,8 @@ TEST(Json, UTF8Validation) {
// test validate_utf8 with invalid utf8
EXPECT_ANY_THROW(folly::json::serialize("a\xe0\xa0\x80z\xc0\x80", opts));
EXPECT_ANY_THROW(folly::json::serialize("a\xe0\xa0\x80z\xe0\x80\x80", opts));
// not a valid unicode because it is larger than the max 0x10FFFF code-point
EXPECT_ANY_THROW(folly::json::serialize("\xF6\x8D\x9B\xBC", opts));

opts.skip_invalid_utf8 = true;
EXPECT_EQ(
Expand All @@ -584,6 +586,12 @@ TEST(Json, UTF8Validation) {
EXPECT_EQ(
folly::json::serialize("z\xc0\x80z\xe0\xa0\x80", opts),
u8"\"z\ufffd\ufffdz\xe0\xa0\x80\"");
EXPECT_EQ(
folly::json::serialize("\xF6\x8D\x9B\xBC", opts),
u8"\"\ufffd\ufffd\ufffd\ufffd\"");
EXPECT_EQ(
folly::json::serialize("invalid\xF6\x8D\x9B\xBCinbetween", opts),
u8"\"invalid\ufffd\ufffd\ufffd\ufffdinbetween\"");

opts.encode_non_ascii = true;
EXPECT_EQ(
Expand Down
4 changes: 4 additions & 0 deletions folly/test/UnicodeTest.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,10 @@ void testInvalid(std::initializer_list<unsigned char> data) {
}
}

TEST(InvalidUtf8ToCodePoint, UnicodeOutOfRangeTest) {
testInvalid({0xF4, 0x90, 0x80, 0x80}); // u8"\U0010FFFF" + 1
}

TEST(InvalidUtf8ToCodePoint, rfc3629Overlong) {
// https://tools.ietf.org/html/rfc3629
// Implementations of the decoding algorithm above MUST protect against
Expand Down

0 comments on commit ae03ef8

Please sign in to comment.