Fix JSON parsing of escaped strings (#7545)

To find the end of a string, we must be more careful of escaping - we assumed
any \" was an escaped double-quote, but it might be part of \\", that is, where
there is an escaped \ before us, and the double-quote is not escaped itself.

Author: kripken

scripts/test/fuzzing.py

@@ -128,6 +128,9 @@
     'type-refining-gufa-exact.wast',
     # TODO: fuzzer support for custom descriptors
     'custom-descriptors.wast',
+    # TODO: fix split_wast() on tricky escaping situations like a string ending
+    #       in \\" (the " is not escaped - there is an escaped \ before it)
+    'string-lifting-section.wast',
 ]
 
 

src/support/json.h

@@ -282,14 +282,20 @@ struct Value {
     skip();
     if (*curr == '"') {
       // String
-      // Start |close| at the opening ", and in the loop below we will always
+      // Start |close| after the opening ", and in the loop below we will always
       // begin looking at the first character after.
-      char* close = curr;
-      // Skip escaped "
-      do {
-        close = strchr(close + 1, '"');
-      } while (*(close - 1) == '\\');
-      THROW_IF(!close, "malformed JSON string");
+      char* close = curr + 1;
+      // Skip escaped ", which appears as \". We need to be careful though, as
+      // \" might also be \\" which would be an escaped \ and an *un*escaped ".
+      while (*close && *close != '"') {
+        if (*close == '\\') {
+          // Skip the \ and the character after it, which it escapes.
+          close++;
+          THROW_IF(!*close, "unexpected end of JSON string (quoting)");
+        }
+        close++;
+      }
+      THROW_IF(!close, "unexpected end of JSON string");
       *close = 0; // end this string, and reuse it straight from the input
       char* raw = curr + 1;
       if (stringEncoding == ASCII) {

test/lit/passes/string-lifting-section.wast

@@ -2,7 +2,7 @@
 
 ;; Lower first to generate the string.consts custom section, then lift it back.
 
-;; RUN: foreach %s %t wasm-opt -all --string-lowering --string-lifting -S -o - | filecheck %s
+;; RUN: wasm-opt %s -all --string-lowering --string-lifting -S -o - | filecheck %s
 
 (module
   ;; CHECK:      (type $0 (array (mut i16)))
@@ -37,6 +37,8 @@
 
   ;; CHECK:      (import "string.const" "5" (global $"string.const_\"unpaired low surrogate \\ed\\bd\\88 \"" (ref extern)))
 
+  ;; CHECK:      (import "string.const" "6" (global $"string.const_\"z\\\\\"" (ref extern)))
+
   ;; CHECK:      (import "wasm:js-string" "fromCharCodeArray" (func $fromCharCodeArray (type $3) (param (ref null $0) i32 i32) (result (ref extern))))
 
   ;; CHECK:      (import "wasm:js-string" "fromCodePoint" (func $fromCodePoint (type $4) (param i32) (result (ref extern))))
@@ -94,6 +96,9 @@
   ;; CHECK-NEXT:  (drop
   ;; CHECK-NEXT:   (string.const "unpaired low surrogate \ed\bd\88 ")
   ;; CHECK-NEXT:  )
+  ;; CHECK-NEXT:  (drop
+  ;; CHECK-NEXT:   (string.const "z\\")
+  ;; CHECK-NEXT:  )
   ;; CHECK-NEXT: )
   (func $tricky-consts
     ;; These tricky strings should remain exactly the same after lowering and
@@ -110,6 +115,10 @@
     (drop
       (string.const "unpaired low surrogate \ED\BD\88 ")
     )
+    ;; A string with \", but the " is not escaped, as the \ is part of \\.
+    (drop
+      (string.const "z\\")
+    )
   )
 )