Hello community, here is the log from the commit of package perl-Cpanel-JSON-XS for openSUSE:Factory checked in at 2016-11-28 15:08:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/perl-Cpanel-JSON-XS (Old) and /work/SRC/openSUSE:Factory/.perl-Cpanel-JSON-XS.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "perl-Cpanel-JSON-XS" Changes: -------- Files /work/SRC/openSUSE:Factory/perl-Cpanel-JSON-XS/perl-Cpanel-JSON-XS.changes and /work/SRC/openSUSE:Factory/.perl-Cpanel-JSON-XS.new/perl-Cpanel-JSON-XS.changes differ Old: ---- Cpanel-JSON-XS-3.0223.tar.gz New: ---- Cpanel-JSON-XS-3.0225.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ perl-Cpanel-JSON-XS.spec ++++++ --- /var/tmp/diff_new_pack.MJaLSK/_old 2016-11-28 15:08:26.000000000 +0100 +++ /var/tmp/diff_new_pack.MJaLSK/_new 2016-11-28 15:08:26.000000000 +0100 @@ -17,7 +17,7 @@ Name: perl-Cpanel-JSON-XS -Version: 3.0223 +Version: 3.0225 Release: 0 %define cpan_name Cpanel-JSON-XS Summary: Cpanel Fork of Json::Xs, Fast and Correct Serializing ++++++ Cpanel-JSON-XS-3.0223.tar.gz -> Cpanel-JSON-XS-3.0225.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cpanel-JSON-XS-3.0223/Changes new/Cpanel-JSON-XS-3.0225/Changes --- old/Cpanel-JSON-XS-3.0223/Changes 2016-11-16 12:43:56.000000000 +0100 +++ new/Cpanel-JSON-XS-3.0225/Changes 2016-11-23 19:30:10.000000000 +0100 @@ -2,6 +2,17 @@ TODO: http://stevehanov.ca/blog/index.php?id=104 compression +3.0225 2016-11-23 (rurban) + - decode utf8 security fixes for perl 5.6. + added extra detection code for overflows and non-continuations. + This broke one 5.6 test with an overlong multi-byte character, + which previously worked accidently. + i.e. decode "\ud801\udc02\x{10204}" + - Added tests for ill-formed utf8 sequences from Encode. + +3.0224 2016-11-20 (rurban) + - fixes for g++-6, stricter -fpermissive and -Wc++11-compat + 3.0223 2016-11-16 (rurban) - fixed decode bignum with a string prefix. #76, patch by GilmarSantosJr. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cpanel-JSON-XS-3.0223/META.json new/Cpanel-JSON-XS-3.0225/META.json --- old/Cpanel-JSON-XS-3.0223/META.json 2016-11-16 12:46:04.000000000 +0100 +++ new/Cpanel-JSON-XS-3.0225/META.json 2016-11-23 19:37:26.000000000 +0100 @@ -49,6 +49,6 @@ "url" : "https://github.com/rurban/Cpanel-JSON-XS" } }, - "version" : "3.0223", + "version" : "3.0225", "x_serialization_backend" : "JSON::PP version 2.27400" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cpanel-JSON-XS-3.0223/META.yml new/Cpanel-JSON-XS-3.0225/META.yml --- old/Cpanel-JSON-XS-3.0223/META.yml 2016-11-16 12:46:04.000000000 +0100 +++ new/Cpanel-JSON-XS-3.0225/META.yml 2016-11-23 19:37:26.000000000 +0100 @@ -24,5 +24,5 @@ homepage: http://software.schmorp.de/pkg/JSON-XS.html license: http://dev.perl.org/licenses/ repository: https://github.com/rurban/Cpanel-JSON-XS -version: '3.0223' +version: '3.0225' x_serialization_backend: 'CPAN::Meta::YAML version 0.018' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cpanel-JSON-XS-3.0223/SIGNATURE new/Cpanel-JSON-XS-3.0225/SIGNATURE --- old/Cpanel-JSON-XS-3.0223/SIGNATURE 2016-11-16 12:46:07.000000000 +0100 +++ new/Cpanel-JSON-XS-3.0225/SIGNATURE 2016-11-23 19:37:28.000000000 +0100 @@ -16,20 +16,20 @@ SHA1 7473e2b9cd191810a0531dcd0bed55a153acc497 .travis.yml SHA1 9a56f3b919dfc8fced3803e165a2e38de62646e5 COPYING -SHA1 830d4c2ddef2fdf46ede88ef9604db5bab1117d3 Changes +SHA1 0eca63583004e23c85152568093cffc27d32fc6a Changes SHA1 7ebf5876b2d33d6ddcfd69e2541394c63537fcfd MANIFEST -SHA1 3ce749fd92c1dafc7ac8deb3562eb6cc750ff3de META.json -SHA1 fc6d87e54d5aed44f254dab692c6724703fe85f6 META.yml +SHA1 c3b7f25a966e88510f9724acb1947d57175c2331 META.json +SHA1 df66f431b2870bd559872ce6dbb12081fd50a1d7 META.yml SHA1 326673d83f68b486d22267c540f457f55cd91c76 Makefile.PL SHA1 c14d9febccd6bdcb718cae6a307b9c7a0cb4dfea README -SHA1 ac7157cf78b897be42912331f938a855168a84b0 XS.pm -SHA1 b327d89b15797321e33cb74d7db64eeb44931099 XS.xs +SHA1 533e03d4469a48de286155ecd1dab2fe5dde0d77 XS.pm +SHA1 72a97b626375f9dc02a022d5687bb2d7de238880 XS.xs SHA1 27b0bc7e0cd6fe90876fb3d285065c6a07cca028 XS/Boolean.pm SHA1 9e4b04d1af085e6959aaed51734475d350136392 bin/cpanel_json_xs SHA1 ea72bbe602baaabdd0004ef1d7e7cc3334b42bb4 eg/bench SHA1 4adab19c45378f079298d6d0b9f90a57f55bafe7 ppport.h SHA1 f7101031fd3fde35fe2421a07ab6cee8a822c00c t/00_load.t -SHA1 378ac291e67b37edef69c4e82b015d269f9120b0 t/01_utf8.t +SHA1 2e04c54c8e6bf0d8090bcbc17487238a98f5e0aa t/01_utf8.t SHA1 9cf542e0bf68c90749420c7d07d7be80e1860592 t/02_error.t SHA1 1dbcee8e27652d901af1c7f03a06a081e3b69092 t/03_types.t SHA1 d876bdffc381f4f67ec90f9c331e3ec2138946e2 t/04_dwiw_encode.t @@ -430,7 +430,7 @@ SHA1 e93c9b53438be114c25aa426742e24f4343057a7 typemap -----BEGIN PGP SIGNATURE----- -iEUEARECAAYFAlgsRvwACgkQmm2SYo/9yULocQCY0AZYfrAA57Ijuy1FFt2oCcL6 -dQCgg//DLqhS65kL8WMVhVgY8eSPEp8= -=XY1P +iEUEARECAAYFAlg14eYACgkQmm2SYo/9yUIi3QCYieGKtBzH0GSR0h4OXSSP1c3s ++ACeOJJKpuCzdkrscHxFj9eBs7Pyg/8= +=v46H -----END PGP SIGNATURE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cpanel-JSON-XS-3.0223/XS.pm new/Cpanel-JSON-XS-3.0225/XS.pm --- old/Cpanel-JSON-XS-3.0223/XS.pm 2016-11-16 12:43:56.000000000 +0100 +++ new/Cpanel-JSON-XS-3.0225/XS.pm 2016-11-23 19:25:00.000000000 +0100 @@ -1,5 +1,5 @@ package Cpanel::JSON::XS; -our $VERSION = '3.0223'; +our $VERSION = '3.0225'; our $XS_VERSION = $VERSION; $VERSION = eval $VERSION; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cpanel-JSON-XS-3.0223/XS.xs new/Cpanel-JSON-XS-3.0225/XS.xs --- old/Cpanel-JSON-XS-3.0223/XS.xs 2016-11-16 12:43:56.000000000 +0100 +++ new/Cpanel-JSON-XS-3.0225/XS.xs 2016-11-23 19:22:32.000000000 +0100 @@ -138,13 +138,13 @@ #ifdef WARN_NONCHAR #define WARNER_NONCHAR(hi) \ Perl_ck_warner_d(aTHX_ packWARN(WARN_NONCHAR), \ - "Unicode non-character U+%04"UVXf" is not " \ + "Unicode non-character U+%04" UVXf " is not " \ "recommended for open interchange", hi) /* before check use warnings 'utf8' */ #elif PERL_VERSION > 10 #define WARNER_NONCHAR(hi) \ Perl_ck_warner_d(aTHX_ packWARN(WARN_UTF8), \ - "Unicode non-character U+%04"UVXf" is illegal " \ + "Unicode non-character U+%04" UVXf " is illegal " \ "for interchange", hi) #else #define WARNER_NONCHAR(hi) \ @@ -379,8 +379,8 @@ decode_utf8 (pTHX_ unsigned char *s, STRLEN len, int relaxed, STRLEN *clen) { if (LIKELY(len >= 2 - && IN_RANGE_INC (char, s[0], 0xc2, 0xdf) - && IN_RANGE_INC (char, s[1], 0x80, 0xbf))) + && IN_RANGE_INC (char, s[0], 0xc2, 0xdf) + && IN_RANGE_INC (char, s[1], 0x80, 0xbf))) { *clen = 2; return ((s[0] & 0x1f) << 6) | (s[1] & 0x3f); @@ -391,7 +391,7 @@ We accept only valid unicode, unless we are in the relaxed mode. */ #if PERL_VERSION > 12 UV c = utf8n_to_uvuni (s, len, clen, - UTF8_CHECK_ONLY | (relaxed ? 0 : UTF8_DISALLOW_SUPER)); + UTF8_CHECK_ONLY | (relaxed ? 0 : UTF8_DISALLOW_SUPER)); #elif PERL_VERSION >= 8 UV c = utf8n_to_uvuni (s, len, clen, UTF8_CHECK_ONLY); #endif @@ -402,31 +402,70 @@ #if PERL_VERSION >= 8 return c; #else - /* for perl 5.6 */ + /* 5.6 does not detect certain ill-formed sequences, esp. overflows, + which are security relevant. so we add code to detect these. */ UV c = utf8_to_uv(s, len, clen, UTF8_CHECK_ONLY); - if (c > PERL_UNICODE_MAX && !relaxed) - *clen = -1; + if (!relaxed) { + if (!c || c > PERL_UNICODE_MAX) + *clen = -1; + /* need to check manually for some overflows. 5.6 unicode bug */ + else if (len >= 2 + && IN_RANGE_INC (char, s[0], 0xc0, 0xfe) + && !IN_RANGE_INC (char, s[0], 0xc2, 0xdf)) { + U8 *s0, *send; + UV uv = *s; + UV expectlen = UTF8SKIP(s); + +#define UTF_CONTINUATION_MASK ((U8) ((1U << 6) - 1)) +#define UTF_ACCUMULATION_OVERFLOW_MASK \ + (((UV) UTF_CONTINUATION_MASK) << ((sizeof(UV) * 8) - 6)) + + s0 = s; + /*printf ("maybe overlong <%.*s> %d/%d %x %x\n", len, s, c, + *clen, s[0], s[1]);*/ + if (*clen > 4) { + *clen = -1; + return c; + } + send = (U8*) s0 + ((expectlen <= len) ? len : len); + for (s = s0 + 1; s < send; s++) { + if (LIKELY(UTF8_IS_CONTINUATION(*s))) { + if (uv & UTF_ACCUMULATION_OVERFLOW_MASK) { + /*printf ("overflow\n");*/ + *clen = -1; + return c; + } + uv = UTF8_ACCUMULATE(uv, *s); + } + else { + /*printf ("unexpected non continuation\n");*/ + *clen = -1; + return c; + } + } + } + } return c; #endif } } -/* likewise for encoding, also never called for ascii codepoints */ -/* this function takes advantage of this fact, although current gccs */ -/* seem to optimise the check for >= 0x80 away anyways */ +/* Likewise for encoding, also never called for ascii codepoints. */ +/* This function takes advantage of this fact, although current gcc's */ +/* seem to optimise the check for >= 0x80 away anyways. */ INLINE unsigned char * encode_utf8 (unsigned char *s, UV ch) { - if (UNLIKELY(ch < 0x000080)) + if (UNLIKELY(ch < 0x000080)) *s++ = ch; else if (LIKELY(ch < 0x000800)) *s++ = 0xc0 | ( ch >> 6), *s++ = 0x80 | ( ch & 0x3f); - else if ( ch < 0x010000) + else if (ch < 0x010000) *s++ = 0xe0 | ( ch >> 12), *s++ = 0x80 | ((ch >> 6) & 0x3f), *s++ = 0x80 | ( ch & 0x3f); - else if ( ch < 0x110000) + else if (ch < 0x110000) *s++ = 0xf0 | ( ch >> 18), *s++ = 0x80 | ((ch >> 12) & 0x3f), *s++ = 0x80 | ((ch >> 6) & 0x3f), @@ -787,8 +826,8 @@ while (--clen); } else - { - need (aTHX_ enc, len += UTF8_MAXBYTES - 1); /* never more than 11 bytes needed */ + { /* never more than 11 bytes needed */ + need (aTHX_ enc, len += UTF8_MAXBYTES - 1); enc->cur = (char*)encode_utf8 ((U8*)enc->cur, uch); ++str; } @@ -801,6 +840,12 @@ } INLINE void +encode_const_str (pTHX_ enc_t *enc, const char *str, STRLEN len, int is_utf8) +{ + encode_str (aTHX_ enc, (char *)str, len, is_utf8); +} + +INLINE void encode_indent (pTHX_ enc_t *enc) { if (enc->json.flags & F_INDENT) @@ -866,7 +911,7 @@ if (svp) encode_sv (aTHX_ enc, *svp); else - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); if (i < len) encode_comma (aTHX_ enc); @@ -1077,7 +1122,7 @@ if (isref && !(enc->json.flags & F_ALLOW_UNKNOWN)) croak ("cannot encode reference to scalar '%s' unless the scalar is 0 or 1", SvPV_nolen (sv_2mortal (newRV_inc (sv)))); - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); return; } /* sv_2pv_flags does not accept those types: */ @@ -1109,7 +1154,7 @@ } #endif if (!len) { - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); SvREFCNT_dec(pv); return; } @@ -1144,7 +1189,7 @@ } } if (!str) - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); else { if (isref != 1) encode_ch (aTHX_ enc, '"'); @@ -1182,9 +1227,9 @@ if (stash == bstash || stash == mstash || stash == oldstash) { if (SvIV (sv)) - encode_str (aTHX_ enc, "true", 4, 0); + encode_const_str (aTHX_ enc, "true", 4, 0); else - encode_str (aTHX_ enc, "false", 5, 0); + encode_const_str (aTHX_ enc, "false", 5, 0); } else if ((enc->json.flags & F_ALLOW_TAGS) && (method = gv_fetchmethod_autoload (stash, "FREEZE", 0))) @@ -1264,7 +1309,7 @@ else if (enc->json.flags & F_CONV_BLESSED) encode_stringify(aTHX_ enc, sv, 0); else if (enc->json.flags & F_ALLOW_BLESSED) - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); else croak ("encountered object '%s', but neither allow_blessed, convert_blessed nor allow_tags settings are enabled (or TO_JSON/FREEZE method missing)", SvPV_nolen (sv_2mortal (newRV_inc (sv)))); @@ -1278,19 +1323,19 @@ int bool_type = ref_bool_type (aTHX_ sv); if (bool_type == 1) - encode_str (aTHX_ enc, "true", 4, 0); + encode_const_str (aTHX_ enc, "true", 4, 0); else if (bool_type == 0) - encode_str (aTHX_ enc, "false", 5, 0); + encode_const_str (aTHX_ enc, "false", 5, 0); else if (enc->json.flags & F_ALLOW_STRINGIFY) encode_stringify(aTHX_ enc, sv, SvROK(sv)); else if (enc->json.flags & F_ALLOW_UNKNOWN) - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); else croak ("cannot encode reference to scalar '%s' unless the scalar is 0 or 1", SvPV_nolen (sv_2mortal (newRV_inc (sv)))); } else if (enc->json.flags & F_ALLOW_UNKNOWN) - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); else croak ("encountered %s, but JSON can only represent references to arrays or hashes", SvPV_nolen (sv_2mortal (newRV_inc (sv)))); @@ -1303,11 +1348,11 @@ if (UNLIKELY(sv == &PL_sv_yes )) { - encode_str (aTHX_ enc, "true", 4, 0); + encode_const_str (aTHX_ enc, "true", 4, 0); } else if (UNLIKELY(sv == &PL_sv_no )) { - encode_str (aTHX_ enc, "false", 5, 0); + encode_const_str (aTHX_ enc, "false", 5, 0); } else if (SvNOKp (sv)) { @@ -1473,8 +1518,8 @@ saveend = enc->end; enc->cur += SvIsUV(sv) - ? snprintf (enc->cur, IVUV_MAXCHARS, "%"UVuf, (UV)SvUVX (sv)) - : snprintf (enc->cur, IVUV_MAXCHARS, "%"IVdf, (IV)SvIVX (sv)); + ? snprintf (enc->cur, IVUV_MAXCHARS, "%" UVuf, (UV)SvUVX (sv)) + : snprintf (enc->cur, IVUV_MAXCHARS, "%" IVdf, (IV)SvIVX (sv)); } if (SvPOKp (sv) && !strEQ(savecur, SvPVX (sv))) { @@ -1499,7 +1544,7 @@ else if (SvROK (sv)) encode_rv (aTHX_ enc, sv); else if (!SvOK (sv) || enc->json.flags & F_ALLOW_UNKNOWN) - encode_str (aTHX_ enc, "null", 4, 0); + encode_const_str (aTHX_ enc, "null", 4, 0); else croak ("encountered perl type (%s,0x%x) that JSON cannot handle, check your input data", SvPV_nolen (sv), (unsigned int)SvFLAGS (sv)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Cpanel-JSON-XS-3.0223/t/01_utf8.t new/Cpanel-JSON-XS-3.0225/t/01_utf8.t --- old/Cpanel-JSON-XS-3.0223/t/01_utf8.t 2016-10-30 13:27:46.000000000 +0100 +++ new/Cpanel-JSON-XS-3.0225/t/01_utf8.t 2016-11-23 19:21:40.000000000 +0100 @@ -1,4 +1,4 @@ -use Test::More tests => 23; +use Test::More tests => 155; use utf8; use Cpanel::JSON::XS; @@ -16,7 +16,12 @@ is(Cpanel::JSON::XS->new->allow_nonref (1)->decode ('"ü"'), "ü"); is(Cpanel::JSON::XS->new->allow_nonref (1)->decode ('"\u00fc"'), "ü"); -is(Cpanel::JSON::XS->new->allow_nonref (1)->decode ('"\ud801\udc02' . "\x{10204}\""), "\x{10402}\x{10204}"); +if ($] < 5.008) { + eval { decode_json ('"\ud801\udc02' . "\x{10204}\"", 1) }; + like $@, qr/malformed UTF-8/; +} else { + is(Cpanel::JSON::XS->new->allow_nonref (1)->decode ('"\ud801\udc02' . "\x{10204}\""), "\x{10402}\x{10204}"); +} is(Cpanel::JSON::XS->new->allow_nonref (1)->decode ('"\"\n\\\\\r\t\f\b"'), "\"\012\\\015\011\014\010"); my $love = $] < 5.008 ? "I \342\235\244 perl" : "I ❤ perl"; @@ -80,3 +85,77 @@ is ($d, "\x{fdd0}", "no warning with relaxed"); is($w, undef); } + +# security exploits via ill-formed subsequences +# see http://unicode.org/reports/tr36/#UTF-8_Exploit +# testcases from Encode/t/utf8strict.t +# All these sequences are not handled by the unsafe, fast XS decoder, +# rather passed through to the safe Perl decoder, which detects those. +my @ill = + (# http://smontagu.damowmow.com/utf8test.html + # The numbers below, like 2.1.2 are test numbers on this web page + qq/80/ , # 3.1.1 + qq/bf/ , # 3.1.2 + qq/80 bf/ , # 3.1.3 + qq/80 bf 80/ , # 3.1.4 + qq/80 bf 80 bf/ , # 3.1.5 + qq/80 bf 80 bf 80/ , # 3.1.6 + qq/80 bf 80 bf 80 bf/ , # 3.1.7 + qq/80 bf 80 bf 80 bf 80/ , # 3.1.8 + qq/80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf/ , # 3.1.9 + qq/c0 20 c1 20 c2 20 c3 20 c4 20 c5 20 c6 20 c7 20 c8 20 c9 20 ca 20 cb 20 cc 20 cd 20 ce 20 cf 20 d0 20 d1 20 d2 20 d3 20 d4 20 d5 20 d6 20 d7 20 d8 20 d9 20 da 20 db 20 dc 20 dd 20 de 20 df 20/ , # 3.2.1 + qq/e0 20 e1 20 e2 20 e3 20 e4 20 e5 20 e6 20 e7 20 e8 20 e9 20 ea 20 eb 20 ec 20 ed 20 ee 20 ef 20/ , # 3.2.2 + qq/f0 20 f1 20 f2 20 f3 20 f4 20 f5 20 f6 20 f7 20/ , # 3.2.3 + qq/f8 20 f9 20 fa 20 fb 20/ , # 3.2.4 + qq/fc 20 fd 20/ , # 3.2.5 + qq/c0/ , # 3.3.1 + qq/e0 80/ , # 3.3.2 + qq/f0 80 80/ , # 3.3.3 + qq/f8 80 80 80/ , # 3.3.4 + qq/fc 80 80 80 80/ , # 3.3.5 + qq/df/ , # 3.3.6 + qq/ef bf/ , # 3.3.7 + qq/f7 bf bf/ , # 3.3.8 + qq/fb bf bf bf/ , # 3.3.9 + qq/fd bf bf bf bf/ , # 3.3.10 + qq/c0 e0 80 f0 80 80 f8 80 80 80 fc 80 80 80 80 df ef bf f7 bf bf fb bf bf bf fd bf bf bf bf/ , # 3.4.1 + qq/fe/ , # 3.5.1 + qq/ff/ , # 3.5.2 + qq/fe fe ff ff/ , # 3.5.3 + qq/f0 8f bf bf/ , # 4.2.3 + qq/f8 87 bf bf bf/ , # 4.2.4 + qq/fc 83 bf bf bf bf/ , # 4.2.5 + qq/c0 af/ , # 4.1.1 # ! overflow not with perl 5.6 + qq/e0 80 af/ , # 4.1.2 # ! overflow not with perl 5.6 + qq/f0 80 80 af/ , # 4.1.3 # ! overflow not with perl 5.6 + qq/f8 80 80 80 af/ , # 4.1.4 # ! overflow not with perl 5.6 + qq/fc 80 80 80 80 af/ , # 4.1.5 # ! overflow not with perl 5.6 + qq/c1 bf/ , # 4.2.1 # ! overflow not with perl 5.6 + qq/e0 9f bf/ , # 4.2.2 # ! overflow not with perl 5.6 + qq/c0 80/ , # 4.3.1 # xx! overflow not with perl 5.6 + qq/e0 80 80/ , # 4.3.2 # xx! overflow not with perl 5.6 + qq/f0 80 80 80/ , # 4.3.3 # xx! overflow not with perl 5.6 + qq/f8 80 80 80 80/ , # 4.3.4 # xx! overflow not with perl 5.6 + qq/fc 80 80 80 80 80/ , # 4.3.5 # xx! overflow not with perl 5.6 + # non-shortest form of 5c i.e. "\\" + qq/c1 9c/ , # ! not with perl 5.6 + ); + +{ + # these are no multibyte codepoints, just raw utf8 bytes, + # so most of them work with 5.6 also. + $^W = 1; + my $w; + warnings->import($] < 5.014 ? 'utf8' : 'nonchar'); + $SIG{__WARN__} = sub { $w = shift }; + + for my $ill (@ill) { + my $o = pack "C*" => map {hex} split /\s+/, $ill; + my $d = eval { decode_json("[\"$o\"]"); }; + is ($d, undef, substr($@,0,25)) + or diag $w, ' ', $ill, "\t => ", $d->[0], " $@"; + like($@, qr/malformed UTF-8 character/, "ill-formed utf8 <$ill> throws error"); + is($d, undef, "without warning"); + $w = undef; + } +}