`ArrayIndexOutOfBoundsException` for specific invalid content, with Reader-based parser
cowtowncoder opened this issue · 0 comments
cowtowncoder commented
(note: found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61198)
Looks like there is a case where, if:
JsonParserconfigured to accept non-standard leading plus sign (JsonReadFeature.ALLOW_LEADING_PLUS_SIGN_FOR_NUMBERS)- Content is read using character-based parser (
ReaderBasedJsonParser) - Some boundary condition is reached (can emulate with 1-char-at-a-time Reader)
- Call is made to
JsonParser.getNumberType()(or possibly other number accessors)
there's an AIOOBE with stack trace like:
at com.fasterxml.jackson.core.io.NumberInput.parseInt(NumberInput.java:55)
at com.fasterxml.jackson.core.util.TextBuffer.contentsAsInt(TextBuffer.java:631)
at com.fasterxml.jackson.core.base.ParserBase._parseNumericValue(ParserBase.java:891)
at com.fasterxml.jackson.core.base.ParserBase.getNumberType(ParserBase.java:735)