Add range checks for narrowing integer casts in xml::Reader

Centimo · Centimo · commit 5d7fd19fd314 · 2026-02-23T00:21:12.000+03:00
diff --git a/include/rfl/xml/Reader.hpp b/include/rfl/xml/Reader.hpp
@@ -2,6 +2,7 @@
 #define RFL_XML_READER_HPP_
 
 #include <exception>
+#include <limits>
 #include <optional>
 #include <pugixml.hpp>
 #include <string>
@@ -100,10 +101,26 @@ struct Reader {
       const auto str = std::visit(get_value, _var.node_or_attribute_);
       try {
         if constexpr (std::is_unsigned<std::remove_cvref_t<T>>()) {
-          return static_cast<T>(std::stoull(str));
+          if (!str.empty() && str[0] == '-') {
+            return error("Value '" + std::string(str) +
+                         "' is negative, cannot convert to unsigned integer.");
+          }
+          const auto val = std::stoull(str);
+          if (val > static_cast<unsigned long long>(
+                        std::numeric_limits<T>::max())) {
+            return error("Value '" + std::string(str) +
+                         "' is out of range for the target type.");
+          }
+          return static_cast<T>(val);
         }
         else {
-          return static_cast<T>(std::stoll(str));
+          const auto val = std::stoll(str);
+          if (val < static_cast<long long>(std::numeric_limits<T>::min()) ||
+              val > static_cast<long long>(std::numeric_limits<T>::max())) {
+            return error("Value '" + std::string(str) +
+                         "' is out of range for the target type.");
+          }
+          return static_cast<T>(val);
         }
       } catch (std::exception& e) {
         return error("Could not cast '" + std::string(str) + "' to integer.");
diff --git a/tests/xml/test_regression_bugs.cpp b/tests/xml/test_regression_bugs.cpp
@@ -68,3 +68,41 @@ TEST(xml_regression, read_uint64_large_value) {
 }
 
 }  // namespace test_xml_reader_int64
+
+// xml::Reader narrowing: stoull/stoll + static_cast<T> silently truncates
+// for types narrower than 64-bit (e.g. int16_t, uint16_t).
+namespace test_xml_reader_narrowing {
+
+struct WithInt16 {
+  int16_t value;
+};
+
+struct WithUint16 {
+  uint16_t value;
+};
+
+TEST(xml_regression, read_rejects_out_of_range_for_int16) {
+  const auto xml = std::string(
+      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+      "<WithInt16><value>99999</value></WithInt16>");
+  const auto res = rfl::xml::read<WithInt16>(xml);
+  EXPECT_FALSE(res) << "99999 should be rejected for int16_t field";
+}
+
+TEST(xml_regression, read_rejects_negative_for_uint16) {
+  const auto xml = std::string(
+      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+      "<WithUint16><value>-1</value></WithUint16>");
+  const auto res = rfl::xml::read<WithUint16>(xml);
+  EXPECT_FALSE(res) << "-1 should be rejected for uint16_t field";
+}
+
+TEST(xml_regression, read_rejects_large_negative_for_int16) {
+  const auto xml = std::string(
+      "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+      "<WithInt16><value>-99999</value></WithInt16>");
+  const auto res = rfl::xml::read<WithInt16>(xml);
+  EXPECT_FALSE(res) << "-99999 should be rejected for int16_t field";
+}
+
+}  // namespace test_xml_reader_narrowing
