Fixed #191

Author: cowtowncoder

release-notes/VERSION

@@ -14,6 +14,11 @@ JSON library.
 === Releases ===
 ------------------------------------------------------------------------
 
+2.5.3 (not released yet)
+
+#191: Longest collision chain in symbol table now exceeds maximum -- suspect a DoS attack
+ (reported by Paul D)
+
 2.5.2 (29-Mar-2015)
 
 #181: Failure parsing -Infinity on buffer boundary

src/main/java/com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java

@@ -1302,7 +1302,7 @@ private String _parseName2(int startPtr, int hash, int endChar) throws IOExcepti
                     }
                 }
             }
-            hash = (hash * CharsToNameCanonicalizer.HASH_MULT) + i;
+            hash = (hash * CharsToNameCanonicalizer.HASH_MULT) + c;
             // Ok, let's add char to output:
             outBuf[outPtr++] = c;
 
@@ -1318,7 +1318,6 @@ private String _parseName2(int startPtr, int hash, int endChar) throws IOExcepti
             char[] buf = tb.getTextBuffer();
             int start = tb.getTextOffset();
             int len = tb.size();
-
             return _symbols.findSymbol(buf, start, len, hash);
         }
     }

src/test/java/com/fasterxml/jackson/core/sym/TestSymbolTables.java

@@ -152,6 +152,41 @@ public void testShortNameCollisionsViaParser() throws Exception
         p.close();
     }
 
+    // [core#191]
+    public void testShortQuotedDirectChars() throws IOException
+    {
+        final int COUNT = 400;
+        
+        CharsToNameCanonicalizer symbols = CharsToNameCanonicalizer.createRoot(1);
+        for (int i = 0; i < COUNT; ++i) {
+            String id = String.format("\\u%04x", i);
+            char[] ch = id.toCharArray();
+            symbols.findSymbol(ch, 0, ch.length, symbols.calcHash(id));
+        }
+        assertEquals(COUNT, symbols.size());
+        assertEquals(1024, symbols.bucketCount());
+
+        assertEquals(112, symbols.collisionCount());
+        assertEquals(2, symbols.maxCollisionLength());
+    }
+
+    public void testShortQuotedDirectBytes() throws IOException
+    {
+        final int COUNT = 400;
+        BytesToNameCanonicalizer symbols =
+                BytesToNameCanonicalizer.createRoot(1).makeChild(JsonFactory.Feature.collectDefaults());
+        for (int i = 0; i < COUNT; ++i) {
+            String id = String.format("\\u%04x", i);
+            int[] quads = BytesToNameCanonicalizer.calcQuads(id.getBytes("UTF-8"));
+            symbols.addName(id, quads, quads.length);
+        }
+        assertEquals(COUNT, symbols.size());
+        assertEquals(1024, symbols.bucketCount());
+
+        assertEquals(44, symbols.collisionCount());
+        assertEquals(2, symbols.maxCollisionLength());
+    }
+    
     // [core#191]
     public void testShortNameCollisionsDirect() throws IOException
     {
@@ -196,14 +231,7 @@ private String _shortDoc191() {
             if (i > 0) {
                 sb.append(",\n");
             }
-            sb.append('"');
-            char c = (char) i;
-            if (Character.isLetterOrDigit(c)) {
-                sb.append((char) i);
-            } else {
-                sb.append(String.format("\\u%04x", i));
-            }
-            sb.append("\" : "+i);
+            sb.append(String.format("\"\\u%04x\" : %d", i, i));
         }
         sb.append("}\n");
         return sb.toString();