Backport fix v2.0 -> v1.5 sanitize NaN/Infinity time

Decode CBOR NaN and Infinity time values to Go zero time. Also show reminder in doc.go that v2 is available and provide link. Closed: #141
2020-02-07 13:58:06 -06:00
4 changed files with 54 additions and 18 deletions
--- a/cache.go
+++ b/cache.go
@ -1,24 +1,6 @@
 // Copyright (c) Faye Amacker. All rights reserved.
 // Licensed under the MIT License. See LICENSE in the project root for license information.

-/*
-Package cbor provides a fuzz-tested CBOR encoder and decoder with full support
-for float16, Canonical CBOR, CTAP2 Canonical CBOR, and custom settings.
-
-Encoding options allow "preferred serialization" by encoding integers and floats
-to their smallest forms (like float16) when values fit.
-
-Go struct tags like `cbor:"name,omitempty"` and `json:"name,omitempty"` work as expected.
-If both struct tags are specified then `cbor` is used.
-
-Struct tags like "keyasint", "toarray", and "omitempty" make it easy to use
-very compact formats like COSE and CWT (CBOR Web Tokens) with structs.
-
-For example, the "toarray" struct tag encodes/decodes struct fields as array elements.
-And "keyasint" struct tag encodes/decodes struct fields to values of maps with specified int keys.
-
-fxamacker/cbor-fuzz provides coverage-guided fuzzing for this package.
-*/
 package cbor

 import (
--- a/decode.go
+++ b/decode.go
@ -951,6 +951,10 @@ func fillFloat(t cborType, val float64, v reflect.Value) error {
 		return nil
 	}
 	if v.Type() == typeTime {
+		if math.IsNaN(val) || math.IsInf(val, 0) {
+			v.Set(reflect.ValueOf(time.Time{}))
+			return nil
+		}
 		f1, f2 := math.Modf(val)
 		tm := time.Unix(int64(f1), int64(f2*1e9))
 		v.Set(reflect.ValueOf(tm))
--- a/decode_test.go
+++ b/decode_test.go
@ -1581,6 +1581,24 @@ func TestDecodeTime(t *testing.T) {
 			cborUnixTime:    hexDecode("f6"),
 			wantTime:        time.Time{},
 		},
+		{
+			name:            "NaN",
+			cborRFC3339Time: hexDecode("f97e00"),
+			cborUnixTime:    hexDecode("f97e00"),
+			wantTime:        time.Time{},
+		},
+		{
+			name:            "positive infinity",
+			cborRFC3339Time: hexDecode("f97c00"),
+			cborUnixTime:    hexDecode("f97c00"),
+			wantTime:        time.Time{},
+		},
+		{
+			name:            "negative infinity",
+			cborRFC3339Time: hexDecode("f9fc00"),
+			cborUnixTime:    hexDecode("f9fc00"),
+			wantTime:        time.Time{},
+		},
 		{
 			name:            "time without fractional seconds", // positive integer
 			cborRFC3339Time: hexDecode("74323031332d30332d32315432303a30343a30305a"),
--- a/doc.go
+++ b/doc.go
@ -0,0 +1,32 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+/*
+Package cbor provides a fuzz-tested CBOR encoder and decoder with full support
+for float16, Canonical CBOR, CTAP2 Canonical CBOR, and custom settings.
+
+THIS VERSION IS OUTDATED
+
+V2 IS AVAILABLE
+
+https://github.com/fxamacker/cbor/releases
+
+Basics
+
+Encoding options allow "preferred serialization" by encoding integers and floats
+to their smallest forms (like float16) when values fit.
+
+Go struct tags like `cbor:"name,omitempty"` and `json:"name,omitempty"` work as expected.
+If both struct tags are specified then `cbor` is used.
+
+Struct tags like "keyasint", "toarray", and "omitempty" make it easy to use
+very compact formats like COSE and CWT (CBOR Web Tokens) with structs.
+
+For example, the "toarray" struct tag encodes/decodes struct fields as array elements.
+And "keyasint" struct tag encodes/decodes struct fields to values of maps with specified int keys.
+
+fxamacker/cbor-fuzz provides coverage-guided fuzzing for this package.
+
+For latest API docs, see: https://github.com/fxamacker/cbor#api
+*/
+package cbor