Fixed #259

Author: cowtowncoder

cbor/src/main/java/com/fasterxml/jackson/dataformat/cbor/CBORParser.java

@@ -634,7 +634,6 @@ public JsonToken nextToken() throws IOException
         } else {
             _tagValue = -1;
         }
-        
         switch (type) {
         case 0: // positive int
             _numTypesValid = NR_INT;
@@ -2159,7 +2158,13 @@ protected String _finishTextToken(int ch) throws IOException
         // 29-Jan-2021, tatu: as per [dataformats-binary#238] must keep in mind that
         //    the longest individual unit is 4 bytes (surrogate pair) so we
         //    actually need len+3 bytes to avoid bounds checks
-        final int needed = len + 3;
+
+        // 19-Mar-2021, tatu: [dataformats-binary#259] shows the case where length
+        //    we get is Integer.MAX_VALUE, leading to overflow. Could change values
+        //    to longs but simpler to truncate "needed" (will never pass following test
+        //    due to inputBuffer never being even close to that big)
+
+        final int needed = Math.max(len + 3, Integer.MAX_VALUE);
         final int available = _inputEnd - _inputPtr;
 
         if ((available >= needed)

cbor/src/test/java/com/fasterxml/jackson/dataformat/cbor/fuzz/Fuzz32173ShortTextTest.java

@@ -0,0 +1,27 @@
+package com.fasterxml.jackson.dataformat.cbor.fuzz;
+
+import com.fasterxml.jackson.core.io.JsonEOFException;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import com.fasterxml.jackson.dataformat.cbor.CBORTestBase;
+
+public class Fuzz32173ShortTextTest extends CBORTestBase
+{
+    private final ObjectMapper MAPPER = cborMapper();
+
+    public void testInvalidShortText() throws Exception
+    {
+        final byte[] input = new byte[] {
+                0x7A, // Text value
+                0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF // length: Integer.MAX_VALUE
+        };
+        try {
+            /*JsonNode root =*/ MAPPER.readTree(input);
+            fail("Should not pass, invalid content");
+        } catch (JsonEOFException e) {
+            verifyException(e, "Unexpected end-of-input in VALUE_STRING");
+        }
+    }
+
+}

release-notes/CREDITS-2.x

@@ -169,6 +169,9 @@ Fabian Meumertzheim (fmeum@github)
  (2.12.3)
 * Reported #258: (smile) ArrayIndexOutOfBoundsException for malformed Smile header
  (2.12.3)
+* Reported #259: (cbor) Failed to handle case of alleged String with length of
+  Integer.MAX_VALUE
+ (2.12.3)
 
 (jhhladky@github)
 

release-notes/VERSION-2.x

@@ -16,6 +16,8 @@ Modules:
  (reported by Fabian M)
 #258: (smile) ArrayIndexOutOfBoundsException for malformed Smile header
  (reported by Fabian M)
+#259: (cbor) Failed to handle case of alleged String with length of Integer.MAX_VALUE
+ (reported by Fabian M)
 
 2.12.2 (03-Mar-2021)