diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x index 3e451885f..45dad8e85 100644 --- a/release-notes/CREDITS-2.x +++ b/release-notes/CREDITS-2.x @@ -284,9 +284,11 @@ Simon Daudin (@simondaudin) Arthur Chan (@arthurscchan) * Contributed #417: (ion) `IonReader` classes contain assert statement which could throw unexpected `AssertionError` - (2.17.0) + (2.17.0) * Contributed #420: (ion) `IndexOutOfBoundsException` thrown by `IonReader` implementations - (2.17.0) + (2.17.0) * Contributed #424: (ion) `IonReader` throws `NullPointerException` for unchecked invalid data - (2.17.0) + (2.17.0) + * Contributed #426: (smile) `SmileParser` throws unexpected IOOBE for corrupt content + (2.17.0) diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index fcdb42b28..fd6831dee 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -18,12 +18,14 @@ Active maintainers: #417: (ion) `IonReader` classes contain assert statement which could throw unexpected `AssertionError` - (contributed by Arthur C) + (fix contributed by Arthur C) #420: (ion) `IndexOutOfBoundsException` thrown by `IonReader` implementations are not handled - (contributed by Arthur C) + (fix contributed by Arthur C) #424: (ion) `IonReader` throws `NullPointerException` for unchecked invalid data - (contributed by Arthur C) + (fix contributed by Arthur C) +#426: (smile) `SmileParser` throws unexpected IOOBE for corrupt content + (fix contributed by Arthur C) -(ion) Update `com.amazon.ion:ion-java` to 1.11.0 (from 1.10.5) 2.16.0 (15-Nov-2023) diff --git a/smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java b/smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java index c27ce3602..e65907684 100644 --- a/smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java +++ b/smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java @@ -2893,6 +2893,11 @@ protected void _skipIncomplete() throws IOException protected void _skipBytes(int len) throws IOException { + // 18-Dec-2023, tatu: Sanity check related to some OSS-Fuzz findings: + if (len < 0) { + throw _constructReadException("Internal error: _skipBytes() called with negative value: %d", + len); + } while (true) { int toAdd = Math.min(len, _inputEnd - _inputPtr); _inputPtr += toAdd; @@ -2914,6 +2919,15 @@ protected void _skip7BitBinary() throws IOException // Ok; 8 encoded bytes for 7 payload bytes first int chunks = origBytes / 7; int encBytes = chunks * 8; + + // sanity check: not all length markers valid; due to signed int(32) + // calculations maximum length only 7/8 of 2^31 + if (encBytes < 0) { + throw _constructReadException( + "Invalid content: invalid 7-bit binary encoded byte length (0x%X) exceeds maximum valid value", + origBytes); + } + // and for last 0 - 6 bytes, last+1 (except none if no leftovers) origBytes -= 7 * chunks; if (origBytes > 0) { diff --git a/smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz_426_65126IOOBETest.java b/smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz_426_65126IOOBETest.java new file mode 100644 index 000000000..f25b23590 --- /dev/null +++ b/smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz_426_65126IOOBETest.java @@ -0,0 +1,28 @@ +package com.fasterxml.jackson.dataformat.smile.fuzz; + +import com.fasterxml.jackson.core.*; +import com.fasterxml.jackson.core.exc.StreamReadException; +import com.fasterxml.jackson.databind.ObjectMapper; + +import com.fasterxml.jackson.dataformat.smile.BaseTestForSmile; + +public class Fuzz_426_65126IOOBETest extends BaseTestForSmile +{ + private final ObjectMapper MAPPER = smileMapper(); + + // [dataformats-binary#426] + public void testInvalidIOOBE() throws Exception + { + final byte[] input = readResource("/data/clusterfuzz-smile-65126.smile"); + try (JsonParser p = MAPPER.createParser(input)) { + assertNull(p.nextTextValue()); + assertToken(JsonToken.VALUE_EMBEDDED_OBJECT, p.currentToken()); + try { + p.nextTextValue(); + fail("Should not pass"); + } catch (StreamReadException e) { + verifyException(e, "Invalid content: invalid 7-bit binary encoded byte length"); + } + } + } +} diff --git a/smile/src/test/resources/data/clusterfuzz-smile-65126.smile b/smile/src/test/resources/data/clusterfuzz-smile-65126.smile new file mode 100644 index 000000000..f02725dc4 Binary files /dev/null and b/smile/src/test/resources/data/clusterfuzz-smile-65126.smile differ