Fix #968: prevent some conversion from BigInteger to BigDecimal for perf reasons

cowtowncoder · cowtowncoder · commit 1713faab215d · 2023-04-05T15:50:11.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -14,6 +14,9 @@ JSON library.
 === Releases ===
 ------------------------------------------------------------------------
 
+#968: Prevent inefficient internal conversion from `BigDecimal` to `BigInteger`
+  wrt ultra-large scale
+
 2.15.0-rc2 (28-Mar-2023)
 
 #827: Add numeric value size limits via `StreamReadConstraints` (fixes
diff --git a/src/main/java/com/fasterxml/jackson/core/StreamReadConstraints.java b/src/main/java/com/fasterxml/jackson/core/StreamReadConstraints.java
@@ -42,6 +42,15 @@ public class StreamReadConstraints
      */
     public static final int DEFAULT_MAX_STRING_LEN = 5_000_000;
 
+    /**
+     * Limit for the maximum magnitude of Scale of {@link java.math.BigDecimal} that can be
+     * converted to {@link java.math.BigInteger}; actual limit value is either
+     * {@code 10 * maxNumLen} or this value, whichever is smaller.
+     *<p>
+     * "100k digits ought to be enough for anybody!"
+     */
+    private static final int MAX_BIGINT_SCALE_MAGNITUDE = 100_000;
+
     protected final int _maxNestingDepth;
     protected final int _maxNumLen;
     protected final int _maxStringLen;
@@ -283,4 +292,33 @@ public void validateStringLength(int length) throws StreamConstraintsException
                     length, _maxStringLen));
         }
     }
+
+    /*
+    /**********************************************************************
+    /* Convenience methods for validation, other
+    /**********************************************************************
+     */
+
+    /**
+     * Convenience method that can be used to verify that a conversion to
+     * {@link java.math.BigInteger}
+     * {@link StreamConstraintsException}
+     * is thrown.
+     *
+     * @param scale Scale (possibly negative) of {@link java.math.BigDecimal} to convert
+     *
+     * @throws StreamConstraintsException If magnitude (absolute value) of scale exceeds maximum
+     *    allowed
+     */
+    public void validateBigIntegerScale(int scale) throws StreamConstraintsException
+    {
+        final int absScale = Math.abs(scale);
+        final int limit = MAX_BIGINT_SCALE_MAGNITUDE;
+
+        if (absScale > limit) {
+            throw new StreamConstraintsException(String.format(
+                    "BigDecimal scale (%d) magnitude exceeds maximum allowed (%d)",
+                    scale, limit));
+        }
+    }
 }
diff --git a/src/main/java/com/fasterxml/jackson/core/base/ParserBase.java b/src/main/java/com/fasterxml/jackson/core/base/ParserBase.java
@@ -1217,6 +1217,8 @@ protected void convertNumberToBigDecimal() throws IOException
     // @since 2.15
     protected BigInteger _convertBigDecimalToBigInteger(BigDecimal bigDec) throws IOException {
         // 04-Apr-2022, tatu: wrt [core#968] Need to limit max scale magnitude
+        //   (may throw StreamConstraintsException)
+        _streamReadConstraints.validateBigIntegerScale(bigDec.scale());
         return bigDec.toBigInteger();
     }
 
diff --git a/src/test/java/com/fasterxml/jackson/failing/PerfBigDecimalToInteger968.java b/src/test/java/com/fasterxml/jackson/failing/PerfBigDecimalToInteger968.java
@@ -1,11 +1,10 @@
 package com.fasterxml.jackson.failing;
 
-import java.math.BigInteger;
-
 import org.junit.Assert;
 import org.junit.Test;
 
 import com.fasterxml.jackson.core.*;
+import com.fasterxml.jackson.core.exc.StreamConstraintsException;
 
 // For [core#968]]
 public class PerfBigDecimalToInteger968
@@ -19,8 +18,12 @@ public void bigIntegerViaBigDecimal() throws Exception {
 
         try (JsonParser p = JSON_F.createParser(DOC)) {
             assertToken(JsonToken.VALUE_NUMBER_FLOAT, p.nextToken());
-            BigInteger value = p.getBigIntegerValue();
-            Assert.assertNotNull(value);
+            try {
+                p.getBigIntegerValue();
+                Assert.fail("Should not pass");
+            } catch (StreamConstraintsException e) {
+                Assert.assertEquals("BigDecimal scale (-25000000) magnitude exceeds maximum allowed (100000)", e.getMessage());
+            }
         }
     }
 
@@ -30,8 +33,12 @@ public void tinyIntegerViaBigDecimal() throws Exception {
 
         try (JsonParser p = JSON_F.createParser(DOC)) {
             assertToken(JsonToken.VALUE_NUMBER_FLOAT, p.nextToken());
-            BigInteger value = p.getBigIntegerValue();
-            Assert.assertNotNull(value);
+            try {
+                p.getBigIntegerValue();
+                Assert.fail("Should not pass");
+            } catch (StreamConstraintsException e) {
+                Assert.assertEquals("BigDecimal scale (25000000) magnitude exceeds maximum allowed (100000)", e.getMessage());
+            }
         }
     }
     

Original file line number	Diff line number	Diff line change
`@@ -1217,6 +1217,8 @@ protected void convertNumberToBigDecimal() throws IOException`
`1217`	`1217`	`// @since 2.15`
`1218`	`1218`	`protected BigInteger _convertBigDecimalToBigInteger(BigDecimal bigDec) throws IOException {`
`1219`	`1219`	`// 04-Apr-2022, tatu: wrt [core#968] Need to limit max scale magnitude`
	`1220`	`+ // (may throw StreamConstraintsException)`
	`1221`	`+ _streamReadConstraints.validateBigIntegerScale(bigDec.scale());`
`1220`	`1222`	`return bigDec.toBigInteger();`
`1221`	`1223`	`}`
`1222`	`1224`