msgpackr 1.11.7 → 1.11.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/index-no-eval.cjs +25 -6
  2. package/dist/index-no-eval.cjs.map +1 -1
  3. package/dist/index-no-eval.min.js +1 -1
  4. package/dist/index-no-eval.min.js.map +1 -1
  5. package/dist/index.js +25 -6
  6. package/dist/index.js.map +1 -1
  7. package/dist/index.min.js +1 -1
  8. package/dist/index.min.js.map +1 -1
  9. package/dist/node.cjs +25 -6
  10. package/dist/node.cjs.map +1 -1
  11. package/dist/test.js +34 -6
  12. package/dist/test.js.map +1 -1
  13. package/dist/unpack-no-eval.cjs +24 -5
  14. package/dist/unpack-no-eval.cjs.map +1 -1
  15. package/index.d.cts +2 -0
  16. package/index.d.ts +2 -0
  17. package/pack.js +1 -1
  18. package/package.json +1 -1
  19. package/unpack.js +24 -5
package/dist/index.js CHANGED
@@ -575,26 +575,45 @@
575
575
  } else if ((byte1 & 0xe0) === 0xc0) {
576
576
  // 2 bytes
577
577
  const byte2 = src[position$1++] & 0x3f;
578
- units.push(((byte1 & 0x1f) << 6) | byte2);
578
+ const codePoint = ((byte1 & 0x1f) << 6) | byte2;
579
+ // Reject overlong encoding: 2-byte sequences must encode values >= 0x80
580
+ if (codePoint < 0x80) {
581
+ units.push(0xFFFD); // replacement character
582
+ } else {
583
+ units.push(codePoint);
584
+ }
579
585
  } else if ((byte1 & 0xf0) === 0xe0) {
580
586
  // 3 bytes
581
587
  const byte2 = src[position$1++] & 0x3f;
582
588
  const byte3 = src[position$1++] & 0x3f;
583
- units.push(((byte1 & 0x1f) << 12) | (byte2 << 6) | byte3);
589
+ const codePoint = ((byte1 & 0x1f) << 12) | (byte2 << 6) | byte3;
590
+ // Reject overlong encoding: 3-byte sequences must encode values >= 0x800
591
+ // Also reject surrogates (0xD800-0xDFFF)
592
+ if (codePoint < 0x800 || (codePoint >= 0xD800 && codePoint <= 0xDFFF)) {
593
+ units.push(0xFFFD); // replacement character
594
+ } else {
595
+ units.push(codePoint);
596
+ }
584
597
  } else if ((byte1 & 0xf8) === 0xf0) {
585
598
  // 4 bytes
586
599
  const byte2 = src[position$1++] & 0x3f;
587
600
  const byte3 = src[position$1++] & 0x3f;
588
601
  const byte4 = src[position$1++] & 0x3f;
589
602
  let unit = ((byte1 & 0x07) << 0x12) | (byte2 << 0x0c) | (byte3 << 0x06) | byte4;
590
- if (unit > 0xffff) {
603
+ // Reject overlong encoding: 4-byte sequences must encode values >= 0x10000
604
+ // Also reject values > 0x10FFFF (maximum valid Unicode)
605
+ if (unit < 0x10000 || unit > 0x10FFFF) {
606
+ units.push(0xFFFD); // replacement character
607
+ } else if (unit > 0xffff) {
591
608
  unit -= 0x10000;
592
609
  units.push(((unit >>> 10) & 0x3ff) | 0xd800);
593
610
  unit = 0xdc00 | (unit & 0x3ff);
611
+ units.push(unit);
612
+ } else {
613
+ units.push(unit);
594
614
  }
595
- units.push(unit);
596
615
  } else {
597
- units.push(byte1);
616
+ units.push(0xFFFD); // replacement character for invalid lead byte
598
617
  }
599
618
 
600
619
  if (units.length >= 0x1000) {
@@ -1276,7 +1295,7 @@
1276
1295
  hasSharedUpdate = false;
1277
1296
  let encodingError;
1278
1297
  try {
1279
- if (packr.randomAccessStructure && value && value.constructor) {
1298
+ if (packr.randomAccessStructure && value && typeof value === 'object') {
1280
1299
  if (value.constructor === Object) writeStruct(value); // simple object
1281
1300
  else if (value.constructor !== Map && !Array.isArray(value) && !extensionClasses.some(extClass => value instanceof extClass)) {
1282
1301
  // allow user classes, if they don't need special handling (but do use toJSON if available)