XmlReader.Create throws IndexOutOfRangeException

[Metalnem]

XmlReader.Create(Stream) method sometimes throws IndexOutOfRangeException (the documentation says that it can only throw ArgumentNullException and SecurityException). Here's the full program that reproduces this:

using System.IO;
using System.Xml;

namespace Test
{
  public class Program
  {
    public static void Main(string[] args)
    {
      var b = new byte[] { 60, 0, 0, 0, 0, 34, 1, 0, 62, 100, 60, 47, 97, 62, 10 };
      XmlReader.Create(new MemoryStream(b));
    }
  }
}

The stack trace:

Exception has occurred: CLR/System.IndexOutOfRangeException
An unhandled exception of type 'System.IndexOutOfRangeException' occurred in System.Private.Xml.dll: 'Index was outside the bounds of the array.'
   at System.Xml.Ucs4Decoder.Ucs4ToUTF16(UInt32 code, Char[] chars, Int32 charIndex)
   at System.Xml.Ucs4Decoder4321.GetFullChars(Byte[] bytes, Int32 byteIndex, Int32 byteCount, Char[] chars, Int32 charIndex)
   at System.Xml.Ucs4Decoder.Convert(Byte[] bytes, Int32 byteIndex, Int32 byteCount, Char[] chars, Int32 charIndex, Int32 charCount, Boolean flush, Int32& bytesUsed, Int32& charsUsed, Boolean& completed)
   at System.Xml.XmlTextReaderImpl.InvalidCharRecovery(Int32& bytesCount, Int32& charsCount)
   at System.Xml.XmlTextReaderImpl.GetChars(Int32 maxCharsCount)
   at System.Xml.XmlTextReaderImpl.ReadData()
   at System.Xml.XmlTextReaderImpl.InitStreamInput(Uri baseUri, String baseUriStr, Stream stream, Byte[] bytes, Int32 byteCount, Encoding encoding)
   at System.Xml.XmlTextReaderImpl.FinishInitStream()
   at System.Xml.XmlTextReaderImpl..ctor(Stream stream, Byte[] bytes, Int32 byteCount, XmlReaderSettings settings, Uri baseUri, String baseUriStr, XmlParserContext context, Boolean closeInput)
   at System.Xml.XmlReaderSettings.CreateReader(Stream input, Uri baseUri, String baseUriString, XmlParserContext inputContext)
   at System.Xml.XmlReader.Create(Stream input)

The environment:

.NET Core SDK (reflecting any global.json):
 Version:   2.2.103
 Commit:    8edbc2570a

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  10.14
 OS Platform: Darwin
 RID:         osx.10.14-x64
 Base Path:   /usr/local/share/dotnet/sdk/2.2.103/

Found via SharpFuzz.

[danmoseley]

Same on .NET Framework. @krwq is this by design? If so we should update docs.

@Metalnem do you expect to find more issues with "SharpFuzz"? Sounds interesting. Are you manually comparing exceptions thrown with the docs, or ingesting docs somehow?

[krwq]

This does not seem by design. Please make sure to look at the perf when fixing this as it might not be worth to add the extra checks.

cc: @buyaa-n

[Metalnem]

@danmosemsft Yes, I expect to find a lot of similar issues across the whole standard library (XmlReader just happened to be the first class I've tested, for no particual reason). I'm currently manually comparing exceptions, but I'll look into automating it in the future (my current goal is to cover the most vulnerable classes in the library first).