Skip to content

Commit 4fc15f4

Browse files
committed
Fixed #272
1 parent 88015fa commit 4fc15f4

File tree

4 files changed

+52
-7
lines changed

4 files changed

+52
-7
lines changed

cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2193,7 +2193,6 @@ protected String _finishTextToken(int ch) throws IOException
21932193

21942194
// String value, decode
21952195
final int len = _decodeExplicitLength(ch);
2196-
21972196
if (len <= 0) {
21982197
if (len == 0) {
21992198
_textBuffer.resetWithEmpty();
@@ -2372,7 +2371,11 @@ private final void _finishChunkedText() throws IOException
23722371
// end of chunk? get a new one, if there is one; if not, we are done
23732372
if (_chunkLeft == 0) {
23742373
int len = _decodeChunkLength(CBORConstants.MAJOR_TYPE_TEXT);
2375-
if (len < 0) { // fine at this point (but not later)
2374+
if (len <= 0) { // fine at this point (but not later)
2375+
// 01-Apr-2021 (sic!), tatu: 0-byte length legal if nonsensical
2376+
if (len == 0) {
2377+
continue;
2378+
}
23762379
break;
23772380
}
23782381
_chunkLeft = len;
@@ -3128,7 +3131,8 @@ private final int _decodeExplicitLength(int lowBits) throws IOException
31283131
}
31293132
return (int) l;
31303133
}
3131-
throw _constructError("Invalid length for "+currentToken()+": 0x"+Integer.toHexString(lowBits));
3134+
throw _constructError(String.format("Invalid length for %s: 0x%02X,",
3135+
currentToken(), lowBits));
31323136
}
31333137

31343138
private int _decodeChunkLength(int expType) throws IOException
@@ -3142,16 +3146,18 @@ private int _decodeChunkLength(int expType) throws IOException
31423146
}
31433147
int type = (ch >> 5);
31443148
if (type != expType) {
3145-
throw _constructError("Mismatched chunk in chunked content: expected "
3146-
+expType+" but encountered "+type+" (byte 0x"+Integer.toHexString(ch)+")");
3149+
throw _constructError(String.format(
3150+
"Mismatched chunk in chunked content: expected major type %d but encountered %d (byte 0x%02X)",
3151+
expType, type, ch));
31473152
}
31483153
int len = _decodeExplicitLength(ch & 0x1F);
31493154
if (len < 0) {
3150-
throw _constructError("Illegal chunked-length indicator within chunked-length value (type "+expType+")");
3155+
throw _constructError(String.format(
3156+
"Illegal chunked-length indicator within chunked-length value (major type %d)", expType));
31513157
}
31523158
return len;
31533159
}
3154-
3160+
31553161
private float _decodeHalfSizeFloat() throws IOException
31563162
{
31573163
int i16 = _decode16Bits() & 0xFFFF;
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
package com.fasterxml.jackson.dataformat.cbor.fuzz;
2+
3+
import com.fasterxml.jackson.core.JsonParser;
4+
import com.fasterxml.jackson.core.JsonToken;
5+
import com.fasterxml.jackson.core.exc.StreamReadException;
6+
7+
import com.fasterxml.jackson.databind.ObjectMapper;
8+
import com.fasterxml.jackson.dataformat.cbor.CBORTestBase;
9+
10+
// [dataformats-binary#272]
11+
public class Fuzz32722ChunkedTextTest extends CBORTestBase
12+
{
13+
private final ObjectMapper MAPPER = cborMapper();
14+
15+
public void testChunkedWithUTF8_4Bytes() throws Exception
16+
{
17+
final byte[] input = new byte[] {
18+
(byte) 0x7F, // text, chunked (length marker 0x1F)
19+
0x60, // text segment of 0 bytes. Legal but weird
20+
(byte) 0xF0, // "simple value" 16, reported as "int" 16.
21+
0x70 // ... whatever this would be, fuzzer playing with stuff
22+
};
23+
24+
try (JsonParser p = MAPPER.createParser(input)) {
25+
assertToken(JsonToken.VALUE_STRING, p.nextToken());
26+
try {
27+
p.getText();
28+
fail("Should not pass, invalid content");
29+
} catch (StreamReadException e) {
30+
verifyException(e, "Mismatched chunk in chunked content");
31+
verifyException(e, "(byte 0xF0)");
32+
}
33+
}
34+
}
35+
}

release-notes/CREDITS-2.x

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,8 @@ Fabian Meumertzheim (fmeum@github)
186186
(2.12.3)
187187
* Reported #268: (smile) Handle sequence of Smile header markers without recursion
188188
(2.12.3)
189+
* Reported #272: (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
190+
(2.13.0)
189191

190192
(jhhladky@github)
191193

release-notes/VERSION-2.x

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@ Modules:
1818
#253: (cbor) Make `CBORFactory` support `JsonFactory.Feature.CANONICALIZE_FIELD_NAMES`
1919
#264: (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully
2020
(actual fix in `jackson-databind`)
21+
#272: (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
22+
(reported by Fabian M)
2123
- `Ion-java` dep 1.4.0 -> 1.8.0
2224

2325
2.12.3 (not yet released)

0 commit comments

Comments
 (0)