Tighten bounds checks around TextEncoder logic

- Replaces unsafe code with safe code where possible
- Fixes some surrogate pairs being misinterpreted
- Fixes #45994
- Ref: MSRC 62749 (CVE-2021-26701)

Author: GrabYourPitchforks

NuGet.config

@@ -16,6 +16,8 @@
     <add key="dotnet-eng" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json" />
     <add key="dotnet5" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet5/nuget/v3/index.json" />
     <add key="dotnet5-transport" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet5-transport/nuget/v3/index.json" />
+    <!-- Harvesting feed from 2.1 -->
+    <add key="darc-int-corefx-2.1.26" value="https://pkgs.dev.azure.com/dnceng/internal/_packaging/darc-int-corefx-2.1.26/nuget/v3/index.json" />
   </packageSources>
   <disabledPackageSources>
     <clear />

eng/restore/harvestPackages.targets

@@ -23,6 +23,7 @@
 
     <!-- Allow to override package download and versions in case there is already a PackageDownload set -->
     <ItemGroup>
+      <PackageDownload Include="System.Text.Encodings.Web" Version="4.5.1" />
       <_OverridenPackageDownloads Include="@(_PackageDownload)" Condition="'@(PackageDownload)' == '@(_PackageDownload)' and %(Identity) != ''" />
       <_PackageDownload Remove="@(_OverridenPackageDownloads)" />
       <_PackageDownload Include="@(PackageDownload)" />

src/libraries/System.Text.Encodings.Web/Directory.Build.props

@@ -1,6 +1,9 @@
 <Project>
   <Import Project="..\Directory.Build.props" />
   <PropertyGroup>
+    <AssemblyVersion>5.0.0.1</AssemblyVersion>
+    <PackageVersion>5.0.1</PackageVersion>
+    <HarvestVersion>4.5.1</HarvestVersion>
     <StrongNameKeyId>Open</StrongNameKeyId>
   </PropertyGroup>
 </Project>

src/libraries/System.Text.Encodings.Web/ref/System.Text.Encodings.Web.csproj

@@ -17,6 +17,7 @@
   </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' or
                          $(TargetFramework.StartsWith('net4'))">
+    <PackageReference Include="System.Buffers" Version="$(SystemBuffersVersion)" />
     <PackageReference Include="System.Memory" Version="$(SystemMemoryVersion)" />
   </ItemGroup>
 </Project>

src/libraries/System.Text.Encodings.Web/src/System.Text.Encodings.Web.csproj

@@ -10,6 +10,7 @@
     <NoWarn>$(NoWarn);CS3019</NoWarn>
   </PropertyGroup>
   <ItemGroup>
+    <Compile Include="System\IO\TextWriterExtensions.cs" />
     <Compile Include="System\Text\Encodings\Web\DefaultJavaScriptEncoder.cs" />
     <Compile Include="System\Text\Encodings\Web\DefaultJavaScriptEncoderBasicLatin.cs" />
     <Compile Include="System\Text\Encodings\Web\HtmlEncoder.cs" />
@@ -40,6 +41,7 @@
     <Compile Include="$(CoreLibSharedDir)System\Text\UnicodeDebug.cs" Link="System\Text\UnicodeDebug.cs" />
     <Compile Include="$(CoreLibSharedDir)System\Text\UnicodeUtility.cs" Link="System\Text\UnicodeUtility.cs" />
     <Compile Include="$(CommonPath)System\HexConverter.cs" Link="Common\System\HexConverter.cs" />
+    <Compile Include="$(CommonPath)System\Text\ValueStringBuilder.cs" Link="Common\System\Text\ValueStringBuilder.cs" />
   </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == '$(NetCoreAppCurrent)' or
                         '$(TargetFramework)' == 'netcoreapp3.0'">
@@ -51,8 +53,12 @@
     <Reference Include="System.Runtime.Intrinsics" />
     <Reference Include="System.Threading" />
   </ItemGroup>
+  <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp3.0'">
+    <Reference Include="System.Buffers" />
+  </ItemGroup>
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' or
                         $(TargetFramework.StartsWith('net4'))">
+    <PackageReference Include="System.Buffers" Version="$(SystemBuffersVersion)" />
     <PackageReference Include="System.Memory" Version="$(SystemMemoryVersion)" />
   </ItemGroup>
 </Project>

src/libraries/System.Text.Encodings.Web/src/System/IO/TextWriterExtensions.cs

@@ -0,0 +1,43 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+
+#if !(NETCOREAPP || NETSTANDARD2_1)
+using System.Buffers;
+#endif
+
+namespace System.IO
+{
+    internal static class TextWriterExtensions
+    {
+        /// <summary>
+        /// Writes a partial string (given offset and count) to the underlying TextWriter.
+        /// </summary>
+        public static void WritePartialString(this TextWriter writer, string value, int offset, int count)
+        {
+            Debug.Assert(writer != null);
+            Debug.Assert(value != null);
+
+            if (offset == 0 && count == value.Length)
+            {
+                // on all platforms, prefer TextWriter.Write(string) if no slicing is required
+                writer.Write(value);
+            }
+            else
+            {
+                // if slicing is required, call TextWriter.Write(ROS<char>) if available;
+                // otherwise rent an array and implement the Write routine ourselves
+                ReadOnlySpan<char> sliced = value.AsSpan(offset, count);
+#if NETCOREAPP || NETSTANDARD2_1
+                writer.Write(sliced);
+#else
+                char[] rented = ArrayPool<char>.Shared.Rent(sliced.Length);
+                sliced.CopyTo(rented);
+                writer.Write(rented, 0, sliced.Length);
+                ArrayPool<char>.Shared.Return(rented);
+#endif
+            }
+        }
+    }
+}