Closed
Description
In the CBORParser.convertNumberToBigDecimal() method, there is an invocation of the CBORParser.getText() method which could return a null value when there is no more text left in the input. If the result is null, the code will throw a NullPointerException in the next line when the String::length() method is called. The CBORParser.convertNumberToBigDecimal() method is called by the public API CBORParser::nextDecimalValue().
@Override
public BigDecimal getDecimalValue() throws IOException
{
if ((_numTypesValid & NR_BIGDECIMAL) == 0) {
if (_numTypesValid == NR_UNKNOWN) {
_checkNumericValue(NR_BIGDECIMAL);
}
if ((_numTypesValid & NR_BIGDECIMAL) == 0) {
convertNumberToBigDecimal();
}
}
return _numberBigDecimal;
} protected void convertNumberToBigDecimal() throws IOException
{
// Note: this MUST start with more accurate representations, since we don't know which
// value is the original one (others get generated when requested)
if ((_numTypesValid & (NR_DOUBLE | NR_FLOAT)) != 0) {
// Let's parse from String representation, to avoid rounding errors that
//non-decimal floating operations would incur
final String text = getText();
streamReadConstraints().validateFPLength(text.length());
...The suggested fix is to add a null checking after the invocation of the ICBORParser.getText() method and throw an exception if the return value stored in size is indeed null.
We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65768.