Fail if a list element is a list.

The upstream C++ parse doesn't do this, but it counts each field as a
depth change/return, thus it counts lists as increasing the depth, and
thus avoids stack issues via the depth limit.

But since there doesn't seem to directly be a way to get a list within
a list in TextFormat, just fail the parse if that happens.

Also land a fuzz test generated test that caught this issue.

Author: thomasvl

FuzzTesting/FailCases/clusterfuzz-testcase-minimized-FuzzTextFormat_release-5003886170537984

@@ -1289,7 +1289,7 @@ internal struct TextFormatScanner {
         return false
     }
 
-    private mutating func skipUnknownPrimativeFieldValue() throws {
+    private mutating func skipUnknownPrimativeFieldValue(canBeList: Bool = true) throws {
         // This is modeled after the C++ text_format.cpp `SkipFieldValue()`
         let c = p[0]
 
@@ -1301,6 +1301,10 @@ internal struct TextFormatScanner {
         }
 
         if skipOptionalBeginArray() {
+            guard canBeList else {
+                // Have encounted an array as an element in an array, that isn't legal.
+                throw TextFormatDecodingError.malformedText
+            }
             if skipOptionalEndArray() {
                 return
             }
@@ -1310,7 +1314,7 @@ internal struct TextFormatScanner {
                 }
                 let c = p[0]
                 if c != asciiOpenAngleBracket && c != asciiOpenCurlyBracket {
-                    try skipUnknownPrimativeFieldValue()
+                    try skipUnknownPrimativeFieldValue(canBeList: false)
                 } else {
                     try skipUnknownMessageFieldValue()
                 }

Sources/SwiftProtobuf/TextFormatScanner.swift

@@ -690,6 +690,42 @@ final class Test_TextFormatDecodingOptions: XCTestCase {
         }
     }
 
+    func testIgnoreUnknown_FailListWithinList() {
+        // The C++ TextFormat parse doesn't directly block this, but it calculates
+        // recusion depth differently (it counts each field as a +1/-1 while parsing
+        // it, that makes an array count as depth); so this got flagged by the fuzz
+        // testing as a way would could end up with stack overflow.
+
+        var options = TextFormatDecodingOptions()
+        options.ignoreUnknownFields = true
+        options.ignoreUnknownExtensionFields = true
+
+        let testCases: [String] = [
+            // fields
+            "f:[[]]",
+            "f:[1, [], 2]",
+            "f <g:[[]]>",
+            "f <g:[1, [], 2]]",
+            // extensions
+            "[e]:[[]]",
+            "[e]:[1, [], 2]",
+            "[e] <g:[[]]>",
+            "[e] <g:[1, [], 2]]",
+        ]
+
+        for testCase in testCases {
+            do {
+                let _ = try SwiftProtoTesting_TestEmptyMessage(textFormatString: testCase,
+                                                               options: options)
+                XCTFail("Should have failed - input: \(testCase)")
+            } catch TextFormatDecodingError.malformedText {
+                // Nothing, was the expected error
+            } catch {
+                XCTFail("Unexpected error: \(error) - input: \(testCase)")
+            }
+        }
+    }
+
     func testIgnoreUnknownWithMessageDepthLimit() {
         let textInput = "a: { a: { i: 1 } }"