Some more bounds checking added

Author: cowtowncoder

src/main/java/com/fasterxml/jackson/core/json/UTF8JsonGenerator.java

@@ -670,19 +670,19 @@ public void writeRaw(String text) throws IOException {
     @Override
     public void writeRaw(String text, int offset, int len) throws IOException
     {
-        final char[] buf = _charBuffer;
-
+        final int end = offset+len;
         // 03-Aug-2022, tatu: Maybe need to do bounds checks first (found by Fuzzer)
-        if ((offset < 0) || (len < 0) || (offset+len) > text.length()) {
+        if ((offset < 0) || (len < 0) || (end > text.length())) {
             _reportError(String.format(
 "Invalid 'offset' (%d) and/or 'len' (%d) arguments for String of length %d",
 offset, len, text.length()));
         }
 
+        final char[] buf = _charBuffer;
         final int cbufLen = buf.length;
         // minor optimization: see if we can just get and copy
         if (len <= cbufLen) {
-            text.getChars(offset, offset+len, buf, 0);
+            text.getChars(offset, end, buf, 0);
             writeRaw(buf, 0, len);
             return;
         }
@@ -745,6 +745,13 @@ public void writeRawValue(SerializableString text) throws IOException {
     @Override
     public final void writeRaw(char[] cbuf, int offset, int len) throws IOException
     {
+        // 03-Aug-2022, tatu: Maybe need to do bounds checks first (found by Fuzzer)
+        if ((offset < 0) || (len < 0) || (offset+len) > cbuf.length) {
+            _reportError(String.format(
+"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `char[]` of length %d",
+offset, len, cbuf.length));
+        }
+
         // First: if we have 3 x charCount spaces, we know it'll fit just fine
         {
             int len3 = len+len+len;

src/main/java/com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java

@@ -563,8 +563,17 @@ public void writeRaw(String text) throws IOException
     }
 
     @Override
-    public void writeRaw(String text, int start, int len) throws IOException
+    public void writeRaw(String text, int offset, int len) throws IOException
     {
+        final int end = offset + len;
+
+        // 03-Aug-2022, tatu: Maybe need to do bounds checks first (found by Fuzzer)
+        if ((offset < 0) || (len < 0) || end > text.length()) {
+            _reportError(String.format(
+"Invalid 'offset' (%d) and/or 'len' (%d) arguments for String of length %d",
+offset, len, text.length()));
+        }
+
         // Nothing to check, can just output as is
         int room = _outputEnd - _outputTail;
 
@@ -574,10 +583,10 @@ public void writeRaw(String text, int start, int len) throws IOException
         }
         // But would it nicely fit in? If yes, it's easy
         if (room >= len) {
-            text.getChars(start, start+len, _outputBuffer, _outputTail);
+            text.getChars(offset, end, _outputBuffer, _outputTail);
             _outputTail += len;
         } else {            	
-            writeRawLong(text.substring(start, start+len));
+            writeRawLong(text.substring(offset, end));
         }
     }
 
@@ -593,21 +602,28 @@ public void writeRaw(SerializableString text) throws IOException {
     }
 
     @Override
-    public void writeRaw(char[] text, int offset, int len) throws IOException
+    public void writeRaw(char[] cbuf, int offset, int len) throws IOException
     {
+        // 03-Aug-2022, tatu: Maybe need to do bounds checks first (found by Fuzzer)
+        if ((offset < 0) || (len < 0) || (offset+len) > cbuf.length) {
+            _reportError(String.format(
+"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `char[]` of length %d",
+offset, len, cbuf.length));
+        }
+
         // Only worth buffering if it's a short write?
         if (len < SHORT_WRITE) {
             int room = _outputEnd - _outputTail;
             if (len > room) {
                 _flushBuffer();
             }
-            System.arraycopy(text, offset, _outputBuffer, _outputTail, len);
+            System.arraycopy(cbuf, offset, _outputBuffer, _outputTail, len);
             _outputTail += len;
             return;
         }
         // Otherwise, better just pass through:
         _flushBuffer();
-        _writer.write(text, offset, len);
+        _writer.write(cbuf, offset, len);
     }
 
     @Override