Fix IsValidJsonNumber() to notice trailing non-alphanumeric garbage.

tglsfdc · tglsfdc · commit 1f2b195ebf1c · 2016-02-03T01:39:08.000-05:00
Commit e09996f was one brick shy of a load: it didn't insist that the detected JSON number be the whole of the supplied string. This allowed inputs such as "2016-01-01" to be misdetected as valid JSON numbers. Per bug #13906 from Dmitry Ryabov. In passing, be more wary of zero-length input (I'm not sure this can happen given current callers, but better safe than sorry), and do some minor cosmetic cleanup.
diff --git a/contrib/hstore/expected/hstore.out b/contrib/hstore/expected/hstore.out
@@ -1466,10 +1466,10 @@ select cast( hstore  '"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=
  {"b": "t", "c": null, "d": "12345", "e": "012345", "f": "1.234", "g": "2.345e+4", "a key": "1"}
 (1 row)
 
-select hstore_to_json_loose('"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=> 1.234, g=> 2.345e+4');
-                                   hstore_to_json_loose                                   
-------------------------------------------------------------------------------------------
- {"b": true, "c": null, "d": 12345, "e": "012345", "f": 1.234, "g": 2.345e+4, "a key": 1}
+select hstore_to_json_loose('"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=> 1.234, g=> 2.345e+4, h=> "2016-01-01"');
+                                            hstore_to_json_loose                                             
+-------------------------------------------------------------------------------------------------------------
+ {"b": true, "c": null, "d": 12345, "e": "012345", "f": 1.234, "g": 2.345e+4, "h": "2016-01-01", "a key": 1}
 (1 row)
 
 create table test_json_agg (f1 text, f2 hstore);
diff --git a/contrib/hstore/sql/hstore.sql b/contrib/hstore/sql/hstore.sql
@@ -334,7 +334,7 @@ select count(*) from testhstore where h = 'pos=>98, line=>371, node=>CBA, indexe
 -- json
 select hstore_to_json('"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=> 1.234, g=> 2.345e+4');
 select cast( hstore  '"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=> 1.234, g=> 2.345e+4' as json);
-select hstore_to_json_loose('"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=> 1.234, g=> 2.345e+4');
+select hstore_to_json_loose('"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=> 1.234, g=> 2.345e+4, h=> "2016-01-01"');
 
 create table test_json_agg (f1 text, f2 hstore);
 insert into test_json_agg values ('rec1','"a key" =>1, b => t, c => null, d=> 12345, e => 012345, f=> 1.234, g=> 2.345e+4'),
diff --git a/src/backend/utils/adt/json.c b/src/backend/utils/adt/json.c
@@ -63,7 +63,8 @@ typedef enum					/* type categories for datum_to_json */
 
 static inline void json_lex(JsonLexContext *lex);
 static inline void json_lex_string(JsonLexContext *lex);
-static inline void json_lex_number(JsonLexContext *lex, char *s, bool *num_err);
+static inline void json_lex_number(JsonLexContext *lex, char *s,
+				bool *num_err, int *total_len);
 static inline void parse_scalar(JsonLexContext *lex, JsonSemAction *sem);
 static void parse_object_field(JsonLexContext *lex, JsonSemAction *sem);
 static void parse_object(JsonLexContext *lex, JsonSemAction *sem);
@@ -166,13 +167,20 @@ lex_expect(JsonParseContext ctx, JsonLexContext *lex, JsonTokenType token)
 	 (c) == '_' || \
 	 IS_HIGHBIT_SET(c))
 
-/* utility function to check if a string is a valid JSON number */
-extern bool
+/*
+ * Utility function to check if a string is a valid JSON number.
+ *
+ * str is of length len, and need not be null-terminated.
+ */
+bool
 IsValidJsonNumber(const char *str, int len)
 {
 	bool		numeric_error;
+	int			total_len;
 	JsonLexContext dummy_lex;
 
+	if (len <= 0)
+		return false;
 
 	/*
 	 * json_lex_number expects a leading  '-' to have been eaten already.
@@ -191,9 +199,9 @@ IsValidJsonNumber(const char *str, int len)
 		dummy_lex.input_length = len;
 	}
 
-	json_lex_number(&dummy_lex, dummy_lex.input, &numeric_error);
+	json_lex_number(&dummy_lex, dummy_lex.input, &numeric_error, &total_len);
 
-	return !numeric_error;
+	return (!numeric_error) && (total_len == dummy_lex.input_length);
 }
 
 /*
@@ -610,7 +618,7 @@ json_lex(JsonLexContext *lex)
 				break;
 			case '-':
 				/* Negative number. */
-				json_lex_number(lex, s + 1, NULL);
+				json_lex_number(lex, s + 1, NULL, NULL);
 				lex->token_type = JSON_TOKEN_NUMBER;
 				break;
 			case '0':
@@ -624,7 +632,7 @@ json_lex(JsonLexContext *lex)
 			case '8':
 			case '9':
 				/* Positive number. */
-				json_lex_number(lex, s, NULL);
+				json_lex_number(lex, s, NULL, NULL);
 				lex->token_type = JSON_TOKEN_NUMBER;
 				break;
 			default:
@@ -919,7 +927,7 @@ json_lex_string(JsonLexContext *lex)
 	lex->token_terminator = s + 1;
 }
 
-/*-------------------------------------------------------------------------
+/*
  * The next token in the input stream is known to be a number; lex it.
  *
  * In JSON, a number consists of four parts:
@@ -940,29 +948,30 @@ json_lex_string(JsonLexContext *lex)
  *	   followed by at least one digit.)
  *
  * The 's' argument to this function points to the ostensible beginning
- * of part 2 - i.e. the character after any optional minus sign, and the
+ * of part 2 - i.e. the character after any optional minus sign, or the
  * first character of the string if there is none.
  *
- *-------------------------------------------------------------------------
+ * If num_err is not NULL, we return an error flag to *num_err rather than
+ * raising an error for a badly-formed number.  Also, if total_len is not NULL
+ * the distance from lex->input to the token end+1 is returned to *total_len.
  */
 static inline void
-json_lex_number(JsonLexContext *lex, char *s, bool *num_err)
+json_lex_number(JsonLexContext *lex, char *s,
+				bool *num_err, int *total_len)
 {
 	bool		error = false;
-	char	   *p;
-	int			len;
+	int			len = s - lex->input;
 
-	len = s - lex->input;
 	/* Part (1): leading sign indicator. */
 	/* Caller already did this for us; so do nothing. */
 
 	/* Part (2): parse main digit string. */
-	if (*s == '0')
+	if (len < lex->input_length && *s == '0')
 	{
 		s++;
 		len++;
 	}
-	else if (*s >= '1' && *s <= '9')
+	else if (len < lex->input_length && *s >= '1' && *s <= '9')
 	{
 		do
 		{
@@ -1017,18 +1026,23 @@ json_lex_number(JsonLexContext *lex, char *s, bool *num_err)
 	 * here should be considered part of the token for error-reporting
 	 * purposes.
 	 */
-	for (p = s; len < lex->input_length && JSON_ALPHANUMERIC_CHAR(*p); p++, len++)
+	for (; len < lex->input_length && JSON_ALPHANUMERIC_CHAR(*s); s++, len++)
 		error = true;
 
+	if (total_len != NULL)
+		*total_len = len;
+
 	if (num_err != NULL)
 	{
-		/* let the caller handle the error */
+		/* let the caller handle any error */
 		*num_err = error;
 	}
 	else
 	{
+		/* return token endpoint */
 		lex->prev_token_terminator = lex->token_terminator;
-		lex->token_terminator = p;
+		lex->token_terminator = s;
+		/* handle error if any */
 		if (error)
 			report_invalid_token(lex);
 	}
