Potentail unsound issue in libsql-sqlite3-parser

[CXWorks]

Hi, thanks for your time to read this issue. We cannot find a repo for this crate, so we report the issue here. If it's not the correct place, plet let us know.

Our static analyzer find a potential unsound issue in the utf-8 parsing, where it doesn't provide enough check to ensure the soundness.

libsql/vendored/sqlite3-parser/src/dialect/mod.rs

Lines 60 to 62 in 8145962

	fn from_bytes(bytes: &[u8]) -> String {
	unsafe { str::from_utf8_unchecked(bytes).to_owned() }
	}

A potentail PoC code is like:

use libsql_sqlite3_parser::lexer::sql::{Parser, Tokenizer};
use fallible_iterator::FallibleIterator;


fn main() {
    let invalid_utf8: &[u8] = &[0xC0, 0x80]; 
    let sql = "SELECT ? ";
    let mut v = Vec::new();
    v.extend_from_slice(sql.as_bytes());
    v.extend_from_slice(invalid_utf8);
    let mut parser = Parser::new(&*v);
    let mut cmd = parser.next().unwrap();
    println!("{:?}", cmd)
}

Thanks again for your time.

[CXWorks]

Sorry, reported at gwenn/lemon-rs#86

[CXWorks]

Please check the discussion(gwenn/lemon-rs#86) for details, thanks!