Fix #287

cowtowncoder · cowtowncoder · commit 622c65b92657 · 2021-06-29T19:47:12.000-07:00
diff --git a/cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java b/cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java
@@ -2415,6 +2415,7 @@ private final int _nextByte() throws IOException {
         return _inputBuffer[_inputPtr++];
     }
 
+    // NOTE! ALWAYS called for non-first byte of multi-byte UTF-8 code point
     private final int _nextChunkedByte() throws IOException {
         int inPtr = _inputPtr;
         
@@ -2427,6 +2428,7 @@ private final int _nextChunkedByte() throws IOException {
         return ch;
     }
 
+    // NOTE! ALWAYS called for non-first byte of multi-byte UTF-8 code point
     private final int _nextChunkedByte2() throws IOException
     {
         // two possibilities: either end of buffer (in which case, just load more),
@@ -2449,10 +2451,18 @@ private final int _nextChunkedByte2() throws IOException
         }
         int len = _decodeChunkLength(CBORConstants.MAJOR_TYPE_TEXT);
         // not actually acceptable if we got a split character
-        if (len < 0) {
+        // 29-Jun-2021, tatu: As per CBOR spec:
+        // "Note that this implies that the bytes of a single UTF-8 character cannot be
+        //  spread between chunks: a new chunk can only be started at a character boundary."
+        // -> 0-length chunk not allowed either
+        if (len <= 0) {
             _reportInvalidEOF(": chunked Text ends with partial UTF-8 character",
                     JsonToken.VALUE_STRING);
         }
+        if (_inputPtr >= _inputEnd) { // Must have at least one byte to return
+            loadMoreGuaranteed();
+        }
+
         int end = _inputPtr + len;
         if (end <= _inputEnd) { // all within buffer
             _chunkLeft = 0;
diff --git a/cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/Fuzz32912ChunkedTextTest.java b/cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/Fuzz32912ChunkedTextTest.java
@@ -0,0 +1,33 @@
+package com.fasterxml.jackson.dataformat.cbor.fuzz;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.core.io.JsonEOFException;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import com.fasterxml.jackson.dataformat.cbor.CBORTestBase;
+
+public class Fuzz32912ChunkedTextTest extends CBORTestBase
+{
+    private final ObjectMapper MAPPER = cborMapper();
+
+    public void testInvalidShortText() throws Exception
+    {
+        final byte[] input = new byte[] {
+                0x7F, 0x61,
+                (byte) 0xF3, 0x61
+        };
+
+        try (JsonParser p = MAPPER.createParser(input)) {
+            // Won't fail immediately
+            assertToken(JsonToken.VALUE_STRING, p.nextToken());
+            try {
+                String str = p.getText();
+                fail("Should not get String value but exception, got: ["+str+"]");
+            } catch (JsonEOFException e) {
+                verifyException(e, "Unexpected end-of-input in VALUE_STRING");
+            }
+        }
+    }
+}
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -10,6 +10,10 @@ Modules:
 === Releases ===
 ------------------------------------------------------------------------
 
+2.12.4 (not yet released)
+
+#287: (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
+
 2.12.3 (12-Apr-2021)
 
 #257: (smile) Uncaught validation problem wrt Smile "BigDecimal" type
