From 524b0d07f25e4825adc063057b1061003603b24a Mon Sep 17 00:00:00 2001 From: alhudz Date: Mon, 1 Jun 2026 18:22:34 +0530 Subject: [PATCH 1/2] fix off-by-one over-read in match_string2 unicode escape parsing --- contrib/epee/src/parserse_base_utils.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/epee/src/parserse_base_utils.cpp b/contrib/epee/src/parserse_base_utils.cpp index e154a75f8..923dde424 100644 --- a/contrib/epee/src/parserse_base_utils.cpp +++ b/contrib/epee/src/parserse_base_utils.cpp @@ -129,7 +129,7 @@ namespace misc_utils case '/': //Slash character val.push_back('/');break; case 'u': //Unicode code point - if (buf_end - it < 4) + if (buf_end - it < 5) { ASSERT_MES_AND_THROW("Invalid Unicode escape sequence"); } From d42de7580d5472b66194db7f4fbc2f8f652d067a Mon Sep 17 00:00:00 2001 From: alhudz Date: Tue, 2 Jun 2026 11:42:16 +0530 Subject: [PATCH 2/2] tests: cover truncated \u escape at end of buffer in match_string2 --- tests/unit_tests/epee_utils.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/unit_tests/epee_utils.cpp b/tests/unit_tests/epee_utils.cpp index bc0c1a687..36a9ccdcc 100644 --- a/tests/unit_tests/epee_utils.cpp +++ b/tests/unit_tests/epee_utils.cpp @@ -1856,6 +1856,16 @@ TEST(parsing, unicode) si = s.begin(); EXPECT_THROW(epee::misc_utils::parse::match_string2(si, s.end(), bs), std::runtime_error); + // truncated \u escape with buf_end right after the hex digits must throw, + // not read past buf_end (the closing quote is absent here on purpose) + s = "\"\\u123"; + si = s.begin(); + EXPECT_THROW(epee::misc_utils::parse::match_string2(si, s.end(), bs), std::runtime_error); + + s = "\"\\u"; + si = s.begin(); + EXPECT_THROW(epee::misc_utils::parse::match_string2(si, s.end(), bs), std::runtime_error); + s = "\"\\u1234\""; si = s.begin(); epee::misc_utils::parse::match_string2(si, s.end(), bs);