Fix #485: add range checks for int and long conversions (#488)

Author: cowtowncoder

csv/src/main/java/com/fasterxml/jackson/dataformat/csv/impl/CsvDecoder.java

@@ -199,8 +199,14 @@ public class CsvDecoder
     final protected static int NR_DOUBLE = 0x008;
     final protected static int NR_BIGDECIMAL = 0x0010;
 
-    // Also, we need some numeric constants
+    // Also, we need some numeric constants (copied from ParserBase)
 
+    final static BigInteger BI_MIN_INT = BigInteger.valueOf(Integer.MIN_VALUE);
+    final static BigInteger BI_MAX_INT = BigInteger.valueOf(Integer.MAX_VALUE);
+
+    final static BigInteger BI_MIN_LONG = BigInteger.valueOf(Long.MIN_VALUE);
+    final static BigInteger BI_MAX_LONG = BigInteger.valueOf(Long.MAX_VALUE);
+    
     final static BigDecimal BD_MIN_LONG = new BigDecimal(Long.MIN_VALUE);
     final static BigDecimal BD_MAX_LONG = new BigDecimal(Long.MAX_VALUE);
 
@@ -1372,8 +1378,12 @@ protected void convertNumberToInt() throws IOException
             }
             _numberInt = result;
         } else if ((_numTypesValid & NR_BIGINT) != 0) {
-            // !!! Should check for range...
-            _numberInt = _getBigInteger().intValue();
+            final BigInteger bigInteger = _getBigInteger();
+            if (BI_MIN_INT.compareTo(bigInteger) > 0
+                    || BI_MAX_INT.compareTo(bigInteger) < 0) {
+                reportOverflowInt();
+            }
+            _numberInt = bigInteger.intValue();
         } else if ((_numTypesValid & NR_DOUBLE) != 0) {
             // Need to check boundaries
             if (_numberDouble < MIN_INT_D || _numberDouble > MAX_INT_D) {
@@ -1399,8 +1409,12 @@ protected void convertNumberToLong() throws IOException
         if ((_numTypesValid & NR_INT) != 0) {
             _numberLong = _numberInt;
         } else if ((_numTypesValid & NR_BIGINT) != 0) {
-            // !!! Should check for range...
-            _numberLong = _getBigInteger().longValue();
+            final BigInteger bigInteger = _getBigInteger();
+            if (BI_MIN_LONG.compareTo(bigInteger) > 0
+                    || BI_MAX_LONG.compareTo(bigInteger) < 0) {
+                reportOverflowLong();
+            }
+            _numberLong = bigInteger.longValue();
         } else if ((_numTypesValid & NR_DOUBLE) != 0) {
             // Need to check boundaries
             if (_numberDouble < MIN_LONG_D || _numberDouble > MAX_LONG_D) {
@@ -1444,11 +1458,10 @@ protected void convertNumberToBigInteger()
     protected void convertNumberToDouble()
         throws IOException
     {
-        /* 05-Aug-2008, tatus: Important note: this MUST start with
-         *   more accurate representations, since we don't know which
-         *   value is the original one (others get generated when
-         *   requested)
-         */
+        // 05-Aug-2008, tatus: Important note: this MUST start with
+        //   more accurate representations, since we don't know which
+        //   value is the original one (others get generated when
+        //   requested)
 
         if ((_numTypesValid & NR_BIGDECIMAL) != 0) {
             _numberDouble = _getBigDecimal().doubleValue();
@@ -1468,9 +1481,8 @@ protected void convertNumberToDouble()
     protected void convertNumberToBigDecimal() throws IOException
     {
         if ((_numTypesValid & NR_DOUBLE) != 0) {
-            /* Let's actually parse from String representation, to avoid
-             * rounding errors that non-decimal floating operations could incur
-             */
+            // Let's actually parse from String representation, to avoid
+            // rounding errors that non-decimal floating operations could incur
             final String text = getText();
             _ioContext.streamReadConstraints().validateFPLength(text.length());
             _numberBigDecimal = NumberInput.parseBigDecimal(

csv/src/test/java/com/fasterxml/jackson/dataformat/csv/failing/IntOverflow485Test.java

@@ -1,12 +1,11 @@
 package com.fasterxml.jackson.dataformat.csv.failing;
 
-import java.math.BigInteger;
-
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
-import com.fasterxml.jackson.core.exc.StreamReadException;
+
+import com.fasterxml.jackson.databind.DatabindException;
 import com.fasterxml.jackson.databind.ObjectReader;
+
 import com.fasterxml.jackson.dataformat.csv.CsvMapper;
-import com.fasterxml.jackson.dataformat.csv.CsvSchema;
 import com.fasterxml.jackson.dataformat.csv.ModuleTestBase;
 
 public class IntOverflow485Test extends ModuleTestBase
@@ -36,8 +35,9 @@ public void testIntOverflow() throws Exception
         try {
             Numbers485 result = READER.readValue(csv485("111111111111111111111111111111111111111111", "0"));
             fail("Should not pass; got: "+result.intValue);
-        } catch (StreamReadException e) {
-            verifyException(e, "CHANGE THIS");
+        } catch (DatabindException e) { // in 2.x gets wrapped
+            verifyException(e, "Numeric value");
+            verifyException(e, "out of range of int");
         }
     }
 
@@ -47,8 +47,9 @@ public void testLongOverflow() throws Exception
             Numbers485 result = READER.readValue(csv485("0",
                     "2222222222222222222222222222222222222222"));
             fail("Should not pass; got: "+result.longValue);
-        } catch (StreamReadException e) {
-            verifyException(e, "CHANGE THIS");
+        } catch (DatabindException e) { // in 2.x gets wrapped
+            verifyException(e, "Numeric value");
+            verifyException(e, "out of range of long");
         }
     }
 

release-notes/CREDITS-2.x

@@ -277,3 +277,8 @@ Heiko Boettger (@HeikoBoettger)
 * Contributed #482: (yaml) Allow passing `ParserImpl` by a subclass or overwrite the events
  (2.18.0)
 
+Burdyug Pavel (@Pavel38l)
+
+* Reported #485: (csv) CSVDecoder: No Long and Int out of range exceptions
+ (2.18.0)
+

release-notes/VERSION-2.x

@@ -23,6 +23,8 @@ Active Maintainers:
  (contributed by David P)
 #482: (yaml) Allow passing `ParserImpl` by a subclass or overwrite the events
  (contributed by Heiko B)
+#485: (csv) CSVDecoder: No Long and Int out of range exceptions
+ (reported by Burdyug P)
 
 2.17.2 (05-Jul-2024)