Fix out-of-bounds access in three_parts. Fix mishandling of non-null terminated string_views in jwt_set::case_compare. Address several conversion and unreachability warnings

include/jwt/algorithm.hpp

@@ -358,7 +358,7 @@ struct HMACSign
 
     unsigned char* res = HMAC(Hasher{}(),
                               key.data(),
-                              key.length(),
+                              static_cast<int>(key.length()),
                               reinterpret_cast<const unsigned char*>(data.data()),
                               data.length(),
                               reinterpret_cast<unsigned char*>(&sign[0]),

include/jwt/impl/algorithm.ipp

@@ -38,7 +38,7 @@ verify_result_t HMACSign<Hasher>::verify(
 
   unsigned char* res = HMAC(Hasher{}(),
                             key.data(),
-                            key.length(),
+                            static_cast<int>(key.length()),
                             reinterpret_cast<const unsigned char*>(head.data()),
                             head.length(),
                             enc_buf,
@@ -79,7 +79,7 @@ verify_result_t PEMSign<Hasher>::verify(
   std::string dec_sig = base64_uri_decode(jwt_sign.data(), jwt_sign.length());
 
   BIO_uptr bufkey{
-      BIO_new_mem_buf((void*)key.data(), key.length()),
+      BIO_new_mem_buf((void*)key.data(), static_cast<int>(key.length())),
       bio_deletor};
 
   if (!bufkey) {
@@ -180,7 +180,7 @@ EVP_PKEY* PEMSign<Hasher>::load_key(
   ec.clear();
 
   BIO_uptr bio_ptr{
-      BIO_new_mem_buf((void*)key.data(), key.length()), 
+      BIO_new_mem_buf((void*)key.data(), static_cast<int>(key.length())), 
       bio_deletor};
 
   if (!bio_ptr) {
@@ -276,7 +276,7 @@ std::string PEMSign<Hasher>::public_key_ser(
 
   EC_SIG_uptr ec_sig{d2i_ECDSA_SIG(nullptr,
                                    (const unsigned char**)&char_ptr,
-                                   sign.length()),
+                                   static_cast<long>(sign.length())),
                      ec_sig_deletor};
 
   if (!ec_sig) {

include/jwt/impl/error_codes.ipp

@@ -52,7 +52,6 @@ struct AlgorithmErrCategory: std::error_category
       return "invalid key";
     };
     return "unknown algorithm error";
-    assert (0 && "Code not reached");
   }
 };
 
@@ -89,7 +88,6 @@ struct DecodeErrorCategory: std::error_category
       return "key not required for NONE algorithm";
     };
     return "unknown decode error";
-    assert (0 && "Code not reached");
   }
 };
 
@@ -128,7 +126,6 @@ struct VerificationErrorCategory: std::error_category
       return "type conversion error";
     };
     return "unknown verification error";
-    assert (0 && "Code not reached");
   }
 };
 

include/jwt/impl/jwt.ipp

@@ -70,7 +70,7 @@ inline void jwt_header::decode(const jwt::string_view enc_str, std::error_code&
 
   try {
     payload_ = json_t::parse(std::move(json_str));
-  } catch(const std::exception& e) {
+  } catch(const std::exception&) {
     ec = DecodeErrc::JsonParseError;
     return;
   }
@@ -130,7 +130,7 @@ inline void jwt_payload::decode(const jwt::string_view enc_str, std::error_code&
   std::string json_str = base64_decode(enc_str);
   try {
     payload_ = json_t::parse(std::move(json_str));
-  } catch(const std::exception& e) {
+  } catch(const std::exception&) {
     ec = DecodeErrc::JsonParseError;
     return;
   }
@@ -530,7 +530,7 @@ jwt_object::three_parts(const jwt::string_view enc_str)
 
   result[1] = jwt::string_view{&enc_str[fpos + 1], spos - fpos - 1};
 
-  if (spos != enc_str.length()) {
+  if (spos + 1 != enc_str.length()) {
     result[2] = jwt::string_view{&enc_str[spos + 1], enc_str.length() - spos - 1};
   }
 
@@ -711,7 +711,7 @@ jwt_object decode(const jwt::string_view enc_str,
   if (dparams.verify) {
     try {
       ec = obj.verify(dparams, algos);
-    } catch (const json_ns::detail::type_error& e) {
+    } catch (const json_ns::detail::type_error&) {
       ec = VerificationErrc::TypeConversionError;
     }
 

include/jwt/jwt.hpp

@@ -72,7 +72,6 @@ inline enum type str_to_type(const jwt::string_view typ) noexcept
   else if(!strcasecmp(typ.data(), "none")) return type::NONE;
 
   JWT_NOT_REACHED("Code not reached");
-  return type::NONE;
 }
 
 
@@ -130,7 +129,6 @@ inline jwt::string_view reg_claims_to_str(SCOPED_ENUM registered_claims claim) n
     default:                            assert (0 && "Not a registered claim");
   };
   JWT_NOT_REACHED("Code not reached");
-  return "";
 }
 
 /**
@@ -147,27 +145,9 @@ struct jwt_set
   {
     using is_transparent = std::true_type;
 
-    bool operator()(const std::string& lhs, const std::string& rhs) const
-    {
-      int ret = strcmp(lhs.c_str(), rhs.c_str());
-      return (ret < 0);
-    }
-
     bool operator()(const jwt::string_view lhs, const jwt::string_view rhs) const
     {
-      int ret = strcmp(lhs.data(), rhs.data());
-      return (ret < 0);
-    }
-
-    bool operator()(const std::string& lhs, const jwt::string_view rhs) const
-    {
-      int ret = strcmp(lhs.data(), rhs.data());
-      return (ret < 0);
-    }
-
-    bool operator()(const jwt::string_view lhs, const std::string& rhs) const
-    {
-      int ret = strcmp(lhs.data(), rhs.data());
+      int ret = lhs.compare(rhs);
       return (ret < 0);
     }
   };

include/jwt/string_view.hpp

@@ -138,6 +138,7 @@ public: // Exposed APIs
   /// Element Access Member Functions
   const_reference operator[](size_type idx) const noexcept
   {
+    assert(idx < len_ && "string_view subscript out of range");
     return data_[idx];
   }