From e8d949c7943cbc49bc7e5411b9ed169b422b8472 Mon Sep 17 00:00:00 2001
From: Shauren <shauren.trinity@gmail.com>
Date: Wed, 13 Nov 2024 00:24:39 +0100
Subject: Core/JSON: Prevent out of bounds memory accesses in json
 deserialization

---
 src/server/shared/JSON/ProtobufJSON.cpp | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'src/server/shared/JSON/ProtobufJSON.cpp')

diff --git a/src/server/shared/JSON/ProtobufJSON.cpp b/src/server/shared/JSON/ProtobufJSON.cpp
index a0fe9b3a68f..1949f067eb9 100644
--- a/src/server/shared/JSON/ProtobufJSON.cpp
+++ b/src/server/shared/JSON/ProtobufJSON.cpp
@@ -20,9 +20,8 @@
 #include "Log.h"
 #include "StringFormat.h"
 #include <google/protobuf/message.h>
-#include <rapidjson/writer.h>
 #include <rapidjson/reader.h>
-#include <rapidjson/stringbuffer.h>
+#include <rapidjson/writer.h>
 #include <stack>
 
 class Serializer
@@ -188,7 +187,7 @@ class Deserializer : public rapidjson::BaseReaderHandler<rapidjson::UTF8<>, Dese
 public:
     bool ReadMessage(std::string const& json, google::protobuf::Message* message);
 
-    bool Key(const Ch* str, rapidjson::SizeType length, bool copy);
+    bool Key(Ch const* str, rapidjson::SizeType length, bool copy);
     bool Null();
     bool Bool(bool b);
     bool Int(int32 i);
@@ -196,7 +195,7 @@ public:
     bool Int64(int64 i);
     bool Uint64(uint64 i);
     bool Double(double d);
-    bool String(const Ch* str, rapidjson::SizeType length, bool copy);
+    bool String(Ch const* str, rapidjson::SizeType length, bool copy);
     bool StartObject();
     bool EndObject(rapidjson::SizeType memberCount);
     bool StartArray();
@@ -215,18 +214,19 @@ private:
 
 bool Deserializer::ReadMessage(std::string const& json, google::protobuf::Message* message)
 {
-    rapidjson::StringStream ss(json.c_str());
+    rapidjson::MemoryStream ms(json.data(), json.length());
+    rapidjson::EncodedInputStream<rapidjson::UTF8<>, rapidjson::MemoryStream> is(ms);
 
     _objectState.push(message);
 
-    rapidjson::ParseResult result = _reader.Parse(ss, *this);
+    rapidjson::ParseResult result = _reader.Parse(is, *this);
 
     ASSERT(result.IsError() || (_objectState.empty() && _state.empty()));
 
     return !result.IsError() && _errors.empty();
 }
 
-bool Deserializer::Key(const Ch* str, rapidjson::SizeType /*length*/, bool /*copy*/)
+bool Deserializer::Key(Ch const* str, rapidjson::SizeType /*length*/, bool /*copy*/)
 {
     google::protobuf::FieldDescriptor const* field = _objectState.top()->GetDescriptor()->FindFieldByName(str);
     if (!field)
@@ -338,7 +338,7 @@ bool Deserializer::Double(double d)
     return true;
 }
 
-bool Deserializer::String(const Ch* str, rapidjson::SizeType /*length*/, bool /*copy*/)
+bool Deserializer::String(Ch const* str, rapidjson::SizeType /*length*/, bool /*copy*/)
 {
     google::protobuf::FieldDescriptor const* field = _state.top();
     google::protobuf::Message* message = _objectState.top();
-- 
cgit v1.2.3