Fix for 451: Add negative index checking for token retrieval (#452)

arthurscchan · web-flow · commit 170cbaa9787e · 2024-01-09T10:14:01.000-08:00
diff --git a/cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java b/cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java
@@ -3183,7 +3183,6 @@ protected void _skipIncomplete() throws IOException
             _throwInternal();
         }
         final int lowBits = _typeByte & 0x1F;
-
         if (lowBits <= 23) {
             if (lowBits > 0) {
                 _skipBytes(lowBits);
@@ -3224,8 +3223,8 @@ protected void _skipChunked(int expectedType) throws IOException
             // verify that type matches
             int type = (ch >> 5);
             if (type != expectedType) {
-                throw _constructError("Mismatched chunk in chunked content: expected "+expectedType
-                        +" but encountered "+type);
+                throw _constructReadException(
+"Mismatched chunk in chunked content: expected %d but encountered %s", expectedType, type);
             }
 
             final int lowBits = ch & 0x1F;
@@ -3251,7 +3250,7 @@ protected void _skipChunked(int expectedType) throws IOException
                 break;
             case 31:
                 throw _constructReadException(
-"Illegal chunked-length indicator within chunked-length value (type %d)",
+"Invalid chunked-length indicator within chunked-length value (type %d)",
 expectedType);
             default:
                 _invalidToken(_typeByte);
@@ -3261,6 +3260,11 @@ protected void _skipChunked(int expectedType) throws IOException
 
     protected void _skipBytesL(long llen) throws IOException
     {
+        if (llen < 0L) {
+            throw _constructReadException(
+"Corrupt content: invalid length indicator (%d) encountered during skipping, current token: %s",
+llen, currentToken());
+        }
         while (llen > MAX_INT_L) {
             _skipBytes((int) MAX_INT_L);
             llen -= MAX_INT_L;
@@ -3270,6 +3274,11 @@ protected void _skipBytesL(long llen) throws IOException
 
     protected void _skipBytes(int len) throws IOException
     {
+        if (len < 0) {
+            throw _constructReadException(
+"Corrupt content: invalid length indicator (%d) encountered during skipping, current token: %s",
+len, currentToken());
+        }
         while (true) {
             int toAdd = Math.min(len, _inputEnd - _inputPtr);
             _inputPtr += toAdd;
diff --git a/cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/CBORFuzz451_65617_IOOBETest.java b/cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/CBORFuzz451_65617_IOOBETest.java
@@ -0,0 +1,29 @@
+package com.fasterxml.jackson.dataformat.cbor.fuzz;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.core.exc.StreamReadException;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import com.fasterxml.jackson.dataformat.cbor.CBORTestBase;
+
+public class CBORFuzz451_65617_IOOBETest extends CBORTestBase
+{
+    private final ObjectMapper MAPPER = cborMapper();
+
+    public void testInvalidText() throws Exception
+    {
+        final byte[] input = readResource("/data/clusterfuzz-cbor-65617.cbor");
+        try (JsonParser p = MAPPER.createParser(input)) {
+            try {
+                assertToken(JsonToken.VALUE_STRING, p.nextToken());
+                // Important: do not access String, force skipping
+                p.nextToken();
+                fail("Should not reach here (invalid input)");
+            } catch (StreamReadException e) {
+                verifyException(e, "Invalid length indicator");
+            }
+        }
+    }
+}
diff --git a/cbor/src/test/resources/data/clusterfuzz-cbor-65617.cbor b/cbor/src/test/resources/data/clusterfuzz-cbor-65617.cbor
diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x
@@ -301,3 +301,5 @@ Arthur Chan (@arthurscchan)
  * Contributed #449: (avro) `IndexOutOfBoundsException` in `JacksonAvroParserImpl`
    for invalid input
   (2.17.0)
+ * Contributed #451: (cbor) `IndexOutOfBoundsException` in `CBORParser` for invalid input
+  (2.17.0)
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -28,10 +28,12 @@ Active maintainers:
  (fix contributed by Arthur C)-(
 #432: (ion) More methods from `IonReader` could throw an unexpected `AssertionError`
  (fix contributed by Arthur C)
-#434 (ion) Unexpected `NullPointerException` thrown from `IonParser::getNumberType()`
+#434: (ion) Unexpected `NullPointerException` thrown from `IonParser::getNumberType()`
  (fix contributed by Arthur C)
-#437 (ion) `IonReader.next()` throws NPEs for some invalid content
-#449 (avro) `IndexOutOfBoundsException` in `JacksonAvroParserImpl` for invalid input
+#437: (ion) `IonReader.next()` throws NPEs for some invalid content
+#449: (avro) `IndexOutOfBoundsException` in `JacksonAvroParserImpl` for invalid input
+ (fix contributed by Arthur C)
+#451: (cbor) `IndexOutOfBoundsException` in `CBORParser` for invalid input
  (fix contributed by Arthur C)
 - (ion) Update `com.amazon.ion:ion-java` to 1.11.0 (from 1.10.5)
 
