From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Mon, 25 Mar 2024 10:47:11 +0800
Subject: [PATCH] fix CVE-2024-24786

encoding/protojson, internal/encoding/json: handle missing object values

In internal/encoding/json, report an error when encountering a }
when we are expecting an object field value. For example, the input
 now correctly results in an error at the closing } token.

In encoding/protojson, check for an unexpected EOF token in
skipJSONValue. This is redundant with the check in internal/encoding/json,
but adds a bit more defense against any other similar bugs that
might exist.

Fixes CVE-2024-24786

Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
TryBot-Bypass: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Commit-Queue: Damien Neil <dneil@google.com>
---
 .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
 .../protobuf/internal/encoding/json/decode.go                 | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
index 72924a9..d3825ba 100644
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
 				if err := d.skipJSONValue(); err != nil {
 					return err
 				}
+			case json.EOF:
+				// This can only happen if there's a bug in Decoder.Read.
+				// Avoid an infinite loop if this does happen.
+				return errors.New("unexpected EOF")
 			}
 		}
 
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
index b13fd29..b2be4e8 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
 
 	case ObjectClose:
 		if len(d.openStack) == 0 ||
-			d.lastToken.kind == comma ||
+			d.lastToken.kind&(Name|comma) != 0 ||
 			d.openStack[len(d.openStack)-1] != ObjectOpen {
 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
 		}
-- 
2.20.1