Fixed #272

Author: cowtowncoder

cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java

@@ -2193,7 +2193,6 @@ protected String _finishTextToken(int ch) throws IOException
 
         // String value, decode
         final int len = _decodeExplicitLength(ch);
-
         if (len <= 0) {
             if (len == 0) {
                 _textBuffer.resetWithEmpty();
@@ -2372,7 +2371,11 @@ private final void _finishChunkedText() throws IOException
                 // end of chunk? get a new one, if there is one; if not, we are done
                 if (_chunkLeft == 0) {
                     int len = _decodeChunkLength(CBORConstants.MAJOR_TYPE_TEXT);
-                    if (len < 0) { // fine at this point (but not later)
+                    if (len <= 0) { // fine at this point (but not later)
+                        // 01-Apr-2021 (sic!), tatu: 0-byte length legal if nonsensical
+                        if (len == 0) {
+                            continue;
+                        }
                         break;
                     }
                     _chunkLeft = len;
@@ -3128,7 +3131,8 @@ private final int _decodeExplicitLength(int lowBits) throws IOException
             }
             return (int) l;
         }
-        throw _constructError("Invalid length for "+currentToken()+": 0x"+Integer.toHexString(lowBits));
+        throw _constructError(String.format("Invalid length for %s: 0x%02X,",
+                currentToken(), lowBits));
     }
 
     private int _decodeChunkLength(int expType) throws IOException
@@ -3142,16 +3146,18 @@ private int _decodeChunkLength(int expType) throws IOException
         }
         int type = (ch >> 5);
         if (type != expType) {
-            throw _constructError("Mismatched chunk in chunked content: expected "
-                    +expType+" but encountered "+type+" (byte 0x"+Integer.toHexString(ch)+")");
+            throw _constructError(String.format(
+"Mismatched chunk in chunked content: expected major type %d but encountered %d (byte 0x%02X)",
+expType, type, ch));
         }
         int len = _decodeExplicitLength(ch & 0x1F);
         if (len < 0) {
-            throw _constructError("Illegal chunked-length indicator within chunked-length value (type "+expType+")");
+            throw _constructError(String.format(
+"Illegal chunked-length indicator within chunked-length value (major type %d)", expType));
         }
         return len;
     }
-    
+
     private float _decodeHalfSizeFloat() throws IOException
     {
         int i16 = _decode16Bits() & 0xFFFF;

cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/Fuzz32722ChunkedTextTest.java

@@ -0,0 +1,35 @@
+package com.fasterxml.jackson.dataformat.cbor.fuzz;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.core.exc.StreamReadException;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.cbor.CBORTestBase;
+
+// [dataformats-binary#272]
+public class Fuzz32722ChunkedTextTest extends CBORTestBase
+{
+    private final ObjectMapper MAPPER = cborMapper();
+
+    public void testChunkedWithUTF8_4Bytes() throws Exception
+    {
+        final byte[] input = new byte[] {
+                (byte) 0x7F, // text, chunked (length marker 0x1F)
+                0x60, // text segment of 0 bytes. Legal but weird
+                (byte) 0xF0, // "simple value" 16, reported as "int" 16.
+                0x70 // ... whatever this would be, fuzzer playing with stuff
+        };
+
+        try (JsonParser p = MAPPER.createParser(input)) {
+            assertToken(JsonToken.VALUE_STRING, p.nextToken());
+            try {
+                p.getText();
+                fail("Should not pass, invalid content");
+            } catch (StreamReadException e) {
+                verifyException(e, "Mismatched chunk in chunked content");
+                verifyException(e, "(byte 0xF0)");
+            }
+        }
+    }
+}

release-notes/CREDITS-2.x

@@ -186,6 +186,8 @@ Fabian Meumertzheim (fmeum@github)
  (2.12.3)
 * Reported #268: (smile) Handle sequence of Smile header markers without recursion
  (2.12.3)
+* Reported #272: (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)	
+ (2.13.0)
 
 (jhhladky@github)
 

release-notes/VERSION-2.x

@@ -18,6 +18,8 @@ Modules:
 #253: (cbor) Make `CBORFactory` support `JsonFactory.Feature.CANONICALIZE_FIELD_NAMES`
 #264: (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully
  (actual fix in `jackson-databind`)
+#272: (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
+ (reported by Fabian M)
 - `Ion-java` dep 1.4.0 -> 1.8.0
 
 2.12.3 (not yet released)