Fix #268

cowtowncoder · cowtowncoder · commit 87683e346e73 · 2021-03-30T15:41:46.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -28,6 +28,8 @@ Modules:
  (7-bit encoded) 
 #266: (smile)  ArrayIndexOutOfBoundsException in SmileParser._decodeShortUnicodeValue()
  (reported by Fabian M)
+#268: (smile) Handle sequence of Smile header markers without recursion
+ (reported by Fabian M)
 
 2.12.2 (03-Mar-2021)
 
diff --git a/smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java b/smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java
@@ -452,13 +452,14 @@ public JsonToken nextToken() throws IOException
                 }
                 if (typeBits == 0x1A) { // == 0x3A == ':' -> possibly header signature for next chunk?
                     if (handleSignature(false, false)) {
-                        /* Ok, now; end-marker and header both imply doc boundary and a
-                         * 'null token'; but if both are seen, they are collapsed.
-                         * We can check this by looking at current token; if it's null,
-                         * need to get non-null token
-                         */
+                        // Ok, now; end-marker and header both imply doc boundary and a
+                        // 'null token'; but if both are seen, they are collapsed.
+                        // We can check this by looking at current token; if it's null,
+                        // need to get non-null token
+                        // 30-Mar-2021, tatu: [dataformats-binary#268] Let's verify we
+                        //    handle repeated back-to-back headers separately
                         if (_currToken == null) {
-                            return nextToken();
+                            return _nextAfterHeader();
                         }
                         return (_currToken = null);
                     }
@@ -529,6 +530,28 @@ public JsonToken nextToken() throws IOException
         return null;
     }
 
+    // Helper method called in situations where Smile Header was encountered
+    // and "current token" is `null`. This can occur both right after document-end
+    // marker (normal situation) and immediately at the beginning of document
+    // (repeated header markers). Normally we'll want to find the real next token
+    // but will not want to do infinite recursion for abnormal case of a very long
+    // sequence of repeated header markers. To guard against that, only call
+    // recursively if we know next token cannot be header; checking that is simple
+    // enough
+    //
+    // @since 2.12.3
+    private JsonToken _nextAfterHeader() throws IOException
+    {
+        if ((_inputPtr < _inputEnd) || _loadMore()) {
+            if (_inputBuffer[_inputPtr] == SmileConstants.HEADER_BYTE_1) {
+                // danger zone; just set and return null token
+                return (_currToken = null);
+            }
+        }
+        // Otherwise safe enough to do recursion
+        return nextToken();
+    }
+
     private final JsonToken _handleSharedString(int index) throws IOException
     {
         if (index >= _seenStringValueCount) {
diff --git a/smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz32665RepeatedHeaderTest.java b/smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz32665RepeatedHeaderTest.java
@@ -0,0 +1,49 @@
+package com.fasterxml.jackson.dataformat.smile.fuzz;
+
+import java.io.ByteArrayOutputStream;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.smile.BaseTestForSmile;
+
+// for [dataformats-binary#268]
+public class Fuzz32665RepeatedHeaderTest extends BaseTestForSmile
+{
+    private final ObjectMapper MAPPER = smileMapper();
+
+    // for [dataformats-binary#268]
+    public void testLongRepeatedHeaders() throws Exception
+    {
+        ByteArrayOutputStream bytes = new ByteArrayOutputStream(16001);
+        for (int i = 0; i < 10; ++i) {
+            // repeat Smile header 10 times
+            bytes.write(0x3A);
+            bytes.write(0x29);
+            bytes.write(0x0A);
+            bytes.write(0x00);
+        }
+
+        // and then append "empty String" marker for funsies
+        bytes.write(0x20);
+
+        final byte[] DOC = bytes.toByteArray();
+
+        try (JsonParser p = MAPPER.createParser(DOC)) {
+            // Ideally would get 9 nulls but looks like at the beginning of stream
+            // it will be one less (not so later on). Good enough given that there is
+            // no real definition of handling here.
+            for (int i = 0; i < 8; ++i) {
+                JsonToken t = p.nextToken();
+                if (t != null) {
+                    fail("Failed at token #"+i+"; expected `null`, got: "+t);
+                }
+            }
+            // and finally, empty String
+            assertToken(JsonToken.VALUE_STRING, p.nextToken());
+
+            // and then the "real" end of input
+            assertNull(p.nextToken());
+        }
+    }
+}
