Fix #289

FasterXML · Jul 5, 2021 · 569b8ee · 569b8ee
1 parent 12eebda
commit 569b8ee
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 4 deletions.
diff --git a/cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java b/cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java
@@ -2720,7 +2720,7 @@ protected final JsonToken _decodePropertyName() throws IOException
         return JsonToken.FIELD_NAME;
     }
 
-    private final String _decodeContiguousName(int len) throws IOException
+    private final String _decodeContiguousName(final int len) throws IOException
     {
         // note: caller ensures we have enough bytes available
         int outPtr = 0;
@@ -2752,7 +2752,13 @@ private final String _decodeContiguousName(int len) throws IOException
             int i = inBuf[inPtr++] & 0xFF;
             int code = codes[i];
             if (code != 0) {
-                // trickiest one, need surrogate handling
+                // 05-Jul-2021, tatu: As per [dataformats-binary#289] need to
+                //     be careful wrt end-of-buffer truncated codepoints
+                if ((inPtr + code) > end) {
+                    final int firstCharOffset = len - (end - inPtr) - 1;
+                    _reportTruncatedUTF8InName(len, firstCharOffset, i, code);
+                }
+
                 switch (code) {
                 case 1:
                     {
@@ -3484,7 +3490,7 @@ protected boolean loadMore() throws IOException
     protected void loadMoreGuaranteed() throws IOException {
         if (!loadMore()) { _reportInvalidEOF(); }
     }
-    
+
     /**
      * Helper method that will try to load at least specified number bytes in
      * input buffer, possible moving existing data around if necessary
@@ -3671,13 +3677,26 @@ protected void _reportIncompleteBinaryRead(int expLen, int actLen) throws IOExce
     }
 
     // @since 2.13
+    /*
     private String _reportTruncatedUTF8InString(int strLenBytes, int truncatedCharOffset,
             int firstUTFByteValue, int bytesExpected)
         throws IOException
     {
         throw _constructError(String.format(
 "Truncated UTF-8 character in Chunked Unicode String value (%d bytes): "
 +"byte 0x%02X at offset #%d indicated %d more bytes needed",
+strLenBytes, firstUTFByteValue, truncatedCharOffset, bytesExpected));
+    }
+    */
+
+    // @since 2.13
+    private String _reportTruncatedUTF8InName(int strLenBytes, int truncatedCharOffset,
+            int firstUTFByteValue, int bytesExpected)
+        throws IOException
+    {
+        throw _constructError(String.format(
+"Truncated UTF-8 character in Map key (%d bytes): "
++"byte 0x%02X at offset #%d indicated %d more bytes needed",
 strLenBytes, firstUTFByteValue, truncatedCharOffset, bytesExpected));
     }
 

diff --git a/...test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/Fuzz289_35822_TruncatedNameTest.java b/...test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/Fuzz289_35822_TruncatedNameTest.java
@@ -0,0 +1,35 @@
+package com.fasterxml.jackson.dataformat.cbor.fuzz;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.core.exc.StreamReadException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.cbor.CBORTestBase;
+
+public class Fuzz289_35822_TruncatedNameTest extends CBORTestBase
+{
+    private final ObjectMapper MAPPER = cborMapper();
+
+    // As per https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35822
+    // ArrayIndexOutOfBoundsException when 2 out of 3 bytes available before
+    // end-of-input
+    public void testInvalidSplitUtf8Unit() throws Exception
+    {
+        final byte[] input = new byte[] {
+                (byte) 0xA6, // Object, 6 entries
+                0x78, 0x02, // String (key), length 2 (non-canonical)
+                (byte) 0xE6, (byte) 0x8B // broken UTF-8 codepoint
+        };
+
+        try (JsonParser p = MAPPER.createParser(input)) {
+            assertToken(JsonToken.START_OBJECT, p.nextToken());
+            try {
+                assertToken(JsonToken.FIELD_NAME, p.nextToken());
+                fail("Should not pass");
+            } catch (StreamReadException e) {
+                verifyException(e, "Truncated UTF-8");
+                verifyException(e, "byte 0xE6 at offset #0 indicated 2 more bytes needed");
+            }
+        }
+    }
+}
diff --git a/.../test/java/com/fasterxml/jackson/dataformat/cbor/parse/ParseInvalidUTF8String236Test.java b/.../test/java/com/fasterxml/jackson/dataformat/cbor/parse/ParseInvalidUTF8String236Test.java
@@ -120,7 +120,7 @@ public void testShortString237InvalidName() throws Exception
                 String str = p.getText();
                 fail("Should have failed, did not, String = '"+str+"'");
             } catch (StreamReadException e) {
-                verifyException(e, "Invalid UTF-8 middle byte 0x2f");
+                verifyException(e, "Truncated UTF-8 character in Map key (2 bytes)");
             }
         }
     }

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -30,6 +30,7 @@ Modules:
  (contributed by Michal F)
 #284: Support base64 strings in `getBinaryValue()` for CBOR and Smile
  (requested by Hunter H)
+#289: `ArrayIndexOutOfBounds` for truncated UTF-8 name
 - `Ion-java` dep 1.4.0 -> 1.8.0
 - Minor change to Ion module registration names (fully-qualified)