`SmileParser` throws unexpected IOOBE for corrupt content

[arthurscchan]

In the SmileParser::nextTextValue() method, there is a line that uses the Integer ptr as an index to retrieve a byte from the _inputBuffer. But it is found that with some invalid input and repeat calling to the SmileParser::nextTextValue() method, it could cause ptr to be negative and trigger an unexpected ArrayIndexOutOfBoundsException.

     public String nextTextValue() throws IOException
    {
       ...
            int ptr = _inputPtr;
            if (ptr >= _inputEnd) {
               ...
            }
            _tokenOffsetForTotal = ptr;
            int ch = _inputBuffer[ptr++] & 0xFF;
       ...

The simplest fix is to add a bound check for the ptr before using it as the array index.

We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65126.

[cowtowncoder]

The problem here is that this might not be directly due to anything within nextTextValue() itself but (possibly) in preceding steps. So it is necessary to see the sequence of things that lead to the problematic state, in which call to nextTextValue() (and likely other calls) would fail.

Unfortunately I don't think nextTextValue() can truly validate offset at that point, but rather whatever lead to invalid value needs to be fixed
(specifically: just because offset is within valid buffer does not mean it might not be corrupt -- it being off the buffer does indicate it is invalid, of course, but the goal is prevent the problem where it occurs).

It is very likely that this requires an invalid document being read; but it may also rely on specific accessors/iteration methods being called.