Fix range check / buffer overflow in ExpressionHasher.Append(char, char) (#8998)

pethin · N-Olbert · web-flow · commit a3c664d37a8c · 2025-12-12T18:38:09.000+01:00
Co-authored-by: NOlbert &lt;45466413+N-Olbert@users.noreply.github.com&gt;
diff --git a/src/GreenDonut/src/GreenDonut.Data/Internal/ExpressionHasher.cs b/src/GreenDonut/src/GreenDonut.Data/Internal/ExpressionHasher.cs
@@ -29,6 +29,9 @@ public ExpressionHasher()
         _initialSize = _buffer.Length;
     }
 
+    internal int BufferSize => _buffer.Length;
+    internal int InitialBufferSize => _initialSize;
+
     public ExpressionHasher Add(Expression expression)
     {
         Visit(expression);
@@ -50,8 +53,7 @@ public ExpressionHasher Add<T>(SortDefinition<T> sortDefinition)
 
     public ExpressionHasher Add(char c)
     {
-        Append(c);
-        Append(';');
+        Append(c, ';');
         return this;
     }
 
@@ -211,12 +213,10 @@ private void Append(int i)
     {
         int written;
 
-        while (!Utf8Formatter.TryFormat(i, _buffer.AsSpan().Slice(_start), out written))
+        var span = _buffer.AsSpan().Slice(_start);
+        while (!Utf8Formatter.TryFormat(i, span, out written))
         {
-            var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
-            _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);
-            ArrayPool<byte>.Shared.Return(_buffer);
-            _buffer = newBuffer;
+            span = ExpandRollingBufferCapacity(_start);
         }
 
         _start += written;
@@ -262,23 +262,17 @@ private void Append(char s)
     {
         if (_start == _buffer.Length)
         {
-            var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
-            _buffer.AsSpan().CopyTo(newBuffer);
-            ArrayPool<byte>.Shared.Return(_buffer);
-            _buffer = newBuffer;
+            ExpandBufferCapacity();
         }
 
         _buffer[_start++] = (byte)s;
     }
 
     private void Append(char a, char b)
     {
-        if (_start + 1 == _buffer.Length)
+        if (_start + 1 >= _buffer.Length)
         {
-            var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
-            _buffer.AsSpan().CopyTo(newBuffer);
-            ArrayPool<byte>.Shared.Return(_buffer);
-            _buffer = newBuffer;
+            ExpandBufferCapacity();
         }
 
         _buffer[_start++] = (byte)a;
@@ -293,11 +287,7 @@ private void Append(string s)
 
         while (!Encoding.UTF8.TryGetBytes(chars, span, out written))
         {
-            var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
-            _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);
-            ArrayPool<byte>.Shared.Return(_buffer);
-            _buffer = newBuffer;
-            span = _buffer.AsSpan().Slice(_start);
+            span = ExpandRollingBufferCapacity(_start);
         }
 
         _start += written;
@@ -310,11 +300,7 @@ private void Append(ReadOnlySpan<char> s)
 
         while (!Encoding.UTF8.TryGetBytes(s, span, out written))
         {
-            var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
-            _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);
-            ArrayPool<byte>.Shared.Return(_buffer);
-            _buffer = newBuffer;
-            span = _buffer.AsSpan().Slice(_start);
+            span = ExpandRollingBufferCapacity(_start);
         }
 
         _start += written;
@@ -324,10 +310,7 @@ private void Append(byte b)
     {
         if (_start == _buffer.Length)
         {
-            var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
-            _buffer.AsSpan().CopyTo(newBuffer);
-            ArrayPool<byte>.Shared.Return(_buffer);
-            _buffer = newBuffer;
+            ExpandBufferCapacity();
         }
 
         _buffer[_start++] = b;
@@ -339,13 +322,26 @@ private void Append(ReadOnlySpan<byte> span)
 
         while (!span.TryCopyTo(bufferSpan))
         {
-            var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
-            _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);
-            ArrayPool<byte>.Shared.Return(_buffer);
-            _buffer = newBuffer;
-            bufferSpan = _buffer.AsSpan().Slice(_start);
+            bufferSpan = ExpandRollingBufferCapacity(_start);
         }
 
         _start += span.Length;
     }
+
+    private void ExpandBufferCapacity()
+    {
+        var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
+        _buffer.AsSpan().CopyTo(newBuffer);
+        ArrayPool<byte>.Shared.Return(_buffer);
+        _buffer = newBuffer;
+    }
+
+    private Span<byte> ExpandRollingBufferCapacity(int bufferIndex)
+    {
+        var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);
+        _buffer.AsSpan().Slice(0, bufferIndex).CopyTo(newBuffer);
+        ArrayPool<byte>.Shared.Return(_buffer);
+        _buffer = newBuffer;
+        return _buffer.AsSpan().Slice(bufferIndex);
+    }
 }
diff --git a/src/GreenDonut/test/GreenDonut.Data.Tests/Internal/ExpressionHasherTests.cs b/src/GreenDonut/test/GreenDonut.Data.Tests/Internal/ExpressionHasherTests.cs
@@ -97,6 +97,114 @@ public static void Simple_Predicate()
         Assert.Equal("76892c282824bfdfe59e135a298c926e", hash);
     }
 
+    [Fact]
+    public static void BufferResize_Add_Char()
+    {
+        // arrange
+        var hasher = new ExpressionHasher();
+        var initialBufferSize = hasher.InitialBufferSize;
+
+        // act
+        for (var i = 0; i < initialBufferSize / 2; i++)
+        {
+            hasher.Add('a');
+        }
+
+        Assert.Equal(initialBufferSize, hasher.BufferSize);
+        hasher.Add('b');
+
+        // assert
+        Assert.Equal(initialBufferSize * 2, hasher.BufferSize);
+    }
+
+    [Fact]
+    public static void BufferResize_Add_ReadOnlyCharSpan()
+    {
+        // arrange
+        var hasher = new ExpressionHasher();
+        var initialBufferSize = hasher.InitialBufferSize;
+
+        // act
+        hasher.Add(new string('a', initialBufferSize + 1));
+
+        // assert
+        Assert.Equal(initialBufferSize * 2, hasher.BufferSize);
+    }
+
+    [Fact]
+    public static void BufferResize_Add_ReadOnlyByteSpan()
+    {
+        // arrange
+        var hasher = new ExpressionHasher();
+        var initialBufferSize = hasher.InitialBufferSize;
+
+        // act
+        hasher.Add(Enumerable.Range(0, initialBufferSize + 1).Select(_ => (byte)1).ToArray());
+
+        // assert
+        Assert.Equal(initialBufferSize * 2, hasher.BufferSize);
+    }
+
+    [Fact]
+    public static void BufferResize_Add_Expression()
+    {
+        // arrange
+        var hasher = new ExpressionHasher();
+        var initialBufferSize = hasher.InitialBufferSize;
+        var expression = Expression.Lambda<Func<Entity1>>(Expression.Constant(new Entity1())); // translated to 8 bytes
+
+        // act
+        var length = 0;
+        while (length < initialBufferSize + 1)
+        {
+            hasher.Add(expression);
+            length += 8;
+        }
+
+        // assert
+        Assert.Equal(initialBufferSize * 2, hasher.BufferSize);
+    }
+
+    [Fact]
+    public static void BufferResize_Add_QueryContext()
+    {
+        // arrange
+        var hasher = new ExpressionHasher();
+        var initialBufferSize = hasher.InitialBufferSize;
+        var queryContext = new QueryContext<Entity1>(x => x); // translated to 32 bytes
+
+        // act
+        var length = 0;
+        while (length < initialBufferSize + 1)
+        {
+            hasher.Add(queryContext);
+            length += 32;
+        }
+
+        // assert
+        Assert.Equal(initialBufferSize * 2, hasher.BufferSize);
+    }
+
+    [Fact]
+    public static void BufferResize_Add_SortDefinition()
+    {
+        // arrange
+        var hasher = new ExpressionHasher();
+        var initialBufferSize = hasher.InitialBufferSize;
+        var sortDefinition = new SortDefinition<Entity1>().AddAscending(x => x.Name); // translated to 102 bytes
+
+        // act
+        var length = 0;
+        while (length < initialBufferSize + 1)
+        {
+            hasher.Add(sortDefinition);
+            length += 102;
+        }
+
+        // assert
+        Assert.Equal(initialBufferSize * 2, hasher.BufferSize);
+    }
+
     public class Entity1
     {
         public string Name { get; set; } = default!;

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,9 @@ public ExpressionHasher()`
`29`	`29`	`_initialSize = _buffer.Length;`
`30`	`30`	`}`
`31`	`31`
	`32`	`+ internal int BufferSize => _buffer.Length;`
	`33`	`+ internal int InitialBufferSize => _initialSize;`
	`34`	`+`
`32`	`35`	`public ExpressionHasher Add(Expression expression)`
`33`	`36`	`{`
`34`	`37`	`Visit(expression);`
`@@ -50,8 +53,7 @@ public ExpressionHasher Add<T>(SortDefinition<T> sortDefinition)`
`50`	`53`
`51`	`54`	`public ExpressionHasher Add(char c)`
`52`	`55`	`{`
`53`		`- Append(c);`
`54`		`- Append(';');`
	`56`	`+ Append(c, ';');`
`55`	`57`	`return this;`
`56`	`58`	`}`
`57`	`59`
`@@ -211,12 +213,10 @@ private void Append(int i)`
`211`	`213`	`{`
`212`	`214`	`int written;`
`213`	`215`
`214`		`- while (!Utf8Formatter.TryFormat(i, _buffer.AsSpan().Slice(_start), out written))`
	`216`	`+ var span = _buffer.AsSpan().Slice(_start);`
	`217`	`+ while (!Utf8Formatter.TryFormat(i, span, out written))`
`215`	`218`	`{`
`216`		`- var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
`217`		`- _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);`
`218`		`- ArrayPool<byte>.Shared.Return(_buffer);`
`219`		`- _buffer = newBuffer;`
	`219`	`+ span = ExpandRollingBufferCapacity(_start);`
`220`	`220`	`}`
`221`	`221`
`222`	`222`	`_start += written;`
`@@ -262,23 +262,17 @@ private void Append(char s)`
`262`	`262`	`{`
`263`	`263`	`if (_start == _buffer.Length)`
`264`	`264`	`{`
`265`		`- var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
`266`		`- _buffer.AsSpan().CopyTo(newBuffer);`
`267`		`- ArrayPool<byte>.Shared.Return(_buffer);`
`268`		`- _buffer = newBuffer;`
	`265`	`+ ExpandBufferCapacity();`
`269`	`266`	`}`
`270`	`267`
`271`	`268`	`_buffer[_start++] = (byte)s;`
`272`	`269`	`}`
`273`	`270`
`274`	`271`	`private void Append(char a, char b)`
`275`	`272`	`{`
`276`		`- if (_start + 1 == _buffer.Length)`
	`273`	`+ if (_start + 1 >= _buffer.Length)`
`277`	`274`	`{`
`278`		`- var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
`279`		`- _buffer.AsSpan().CopyTo(newBuffer);`
`280`		`- ArrayPool<byte>.Shared.Return(_buffer);`
`281`		`- _buffer = newBuffer;`
	`275`	`+ ExpandBufferCapacity();`
`282`	`276`	`}`
`283`	`277`
`284`	`278`	`_buffer[_start++] = (byte)a;`
`@@ -293,11 +287,7 @@ private void Append(string s)`
`293`	`287`
`294`	`288`	`while (!Encoding.UTF8.TryGetBytes(chars, span, out written))`
`295`	`289`	`{`
`296`		`- var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
`297`		`- _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);`
`298`		`- ArrayPool<byte>.Shared.Return(_buffer);`
`299`		`- _buffer = newBuffer;`
`300`		`- span = _buffer.AsSpan().Slice(_start);`
	`290`	`+ span = ExpandRollingBufferCapacity(_start);`
`301`	`291`	`}`
`302`	`292`
`303`	`293`	`_start += written;`
`@@ -310,11 +300,7 @@ private void Append(ReadOnlySpan<char> s)`
`310`	`300`
`311`	`301`	`while (!Encoding.UTF8.TryGetBytes(s, span, out written))`
`312`	`302`	`{`
`313`		`- var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
`314`		`- _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);`
`315`		`- ArrayPool<byte>.Shared.Return(_buffer);`
`316`		`- _buffer = newBuffer;`
`317`		`- span = _buffer.AsSpan().Slice(_start);`
	`303`	`+ span = ExpandRollingBufferCapacity(_start);`
`318`	`304`	`}`
`319`	`305`
`320`	`306`	`_start += written;`
`@@ -324,10 +310,7 @@ private void Append(byte b)`
`324`	`310`	`{`
`325`	`311`	`if (_start == _buffer.Length)`
`326`	`312`	`{`
`327`		`- var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
`328`		`- _buffer.AsSpan().CopyTo(newBuffer);`
`329`		`- ArrayPool<byte>.Shared.Return(_buffer);`
`330`		`- _buffer = newBuffer;`
	`313`	`+ ExpandBufferCapacity();`
`331`	`314`	`}`
`332`	`315`
`333`	`316`	`_buffer[_start++] = b;`
`@@ -339,13 +322,26 @@ private void Append(ReadOnlySpan<byte> span)`
`339`	`322`
`340`	`323`	`while (!span.TryCopyTo(bufferSpan))`
`341`	`324`	`{`
`342`		`- var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
`343`		`- _buffer.AsSpan().Slice(0, _start).CopyTo(newBuffer);`
`344`		`- ArrayPool<byte>.Shared.Return(_buffer);`
`345`		`- _buffer = newBuffer;`
`346`		`- bufferSpan = _buffer.AsSpan().Slice(_start);`
	`325`	`+ bufferSpan = ExpandRollingBufferCapacity(_start);`
`347`	`326`	`}`
`348`	`327`
`349`	`328`	`_start += span.Length;`
`350`	`329`	`}`
	`330`	`+`
	`331`	`+ private void ExpandBufferCapacity()`
	`332`	`+ {`
	`333`	`+ var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
	`334`	`+ _buffer.AsSpan().CopyTo(newBuffer);`
	`335`	`+ ArrayPool<byte>.Shared.Return(_buffer);`
	`336`	`+ _buffer = newBuffer;`
	`337`	`+ }`
	`338`	`+`
	`339`	`+ private Span<byte> ExpandRollingBufferCapacity(int bufferIndex)`
	`340`	`+ {`
	`341`	`+ var newBuffer = ArrayPool<byte>.Shared.Rent(_buffer.Length * 2);`
	`342`	`+ _buffer.AsSpan().Slice(0, bufferIndex).CopyTo(newBuffer);`
	`343`	`+ ArrayPool<byte>.Shared.Return(_buffer);`
	`344`	`+ _buffer = newBuffer;`
	`345`	`+ return _buffer.AsSpan().Slice(bufferIndex);`
	`346`	`+ }`
`351`	`347`	`}`