Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArrayIndexOutOfBoundsException in CBORParser for invalid UTF-8 String #236

Closed
fmeum opened this issue Jan 14, 2021 · 3 comments
Closed

ArrayIndexOutOfBoundsException in CBORParser for invalid UTF-8 String #236

fmeum opened this issue Jan 14, 2021 · 3 comments
Labels
cbor
Milestone
2.12.2

Comments

@fmeum
Copy link

fmeum commented Jan 14, 2021

The following Java snippet crashes with an ArrayIndexOutOfBoundsException in CBORParser._finishShortText:

import java.io.IOException;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.dataformat.cbor.CBORFactory;

public class JacksonCborCrash {
    public static void main(String[] args) {
        byte[] input = {0x66, (byte) 0xef, 0x7d, 0x7d, 0xa, 0x2d, (byte) 0xda};
        CBORFactory factory = new CBORFactory();
        ObjectMapper mapper = new ObjectMapper(factory);
        try {
            mapper.readTree(input);
        } catch (IOException e) {}
    }
}

The stack trace with version 2.12.1 is:

java.lang.ArrayIndexOutOfBoundsException: Index 7 out of bounds for length 7                                                                                                                                                          
        at com.fasterxml.jackson.dataformat.cbor.CBORParser._finishShortText(CBORParser.java:2203)                                                                                                                                    
        at com.fasterxml.jackson.dataformat.cbor.CBORParser._finishTextToken(CBORParser.java:2170)                                                                                                                                    
        at com.fasterxml.jackson.dataformat.cbor.CBORParser.getText(CBORParser.java:1530)                                                                                                                                              
        at com.fasterxml.jackson.databind.deser.std.BaseNodeDeserializer.deserializeAny(JsonNodeDeserializer.java:545)                                                                                                                
        at com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:74)                                                                                                                    
        at com.fasterxml.jackson.databind.deser.std.JsonNodeDeserializer.deserialize(JsonNodeDeserializer.java:16)                                                                                                                    
        at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:322)                                                                                                    
        at com.fasterxml.jackson.databind.ObjectMapper._readTreeAndClose(ObjectMapper.java:4635)                                                                                                                                      
        at com.fasterxml.jackson.databind.ObjectMapper.readTree(ObjectMapper.java:3056)

This issue appears to be caused by missing bounds checks in the cases of this switch statement.
@cowtowncoder
Copy link
Member

@fmeum Thank you for reporting this, I'll need to have a look.

@cowtowncoder
Copy link
Member

Ah. So this is broken encoding; the last byte is broken initial byte of 2-byte UTF-8 character, which is why illegal access is made.
Should be caught and reported of course (unexpected end of content), will need to see what's the easiest way.

cowtowncoder added a commit that referenced this issue Jan 29, 2021
@cowtowncoder
Add failing test for #236 (in 2.11 in case we can add fix there)
a13523f
@cowtowncoder cowtowncoder changed the title ArrayIndexOutOfBoundsException in CBORParser._finishShortText ArrayIndexOutOfBoundsException in CBORParser for invalid UTF-8 String value Jan 30, 2021
@cowtowncoder cowtowncoder added this to the 2.12.2 milestone Jan 30, 2021
cowtowncoder added a commit that referenced this issue Jan 30, 2021
@cowtowncoder
Fix #236
ab74693
cowtowncoder added a commit that referenced this issue Jan 30, 2021
@cowtowncoder
Move #236 test under non-failing after fix
db7bffa
@cowtowncoder
Copy link
Member

Fixed for 2.12.2; 2 problems:

  1. Not verifying buffer boundary, matters for the specific case if the last byte implies existence one or more bytes of multi-byte UTF-8 character
  2. But also should verify UTF-8 encoding goodness: example case is broken (maybe it's Latin-1?); should fail earlier

Slightly worried about (2) in a patch release (and hence no backport for 2.11) since while validation really should be done, no doubt some content exist where "it used to 'work'" (i.e. butchered occasionally mis-encoded character but no one noticed, or some validation removed that garbage later on), but we'll see.
Will also file a follow-up issue for 2.13 since as of now validation of UTF-8 characters is inconsistent across code paths -- it shouldn't be, but it is. For 2.13 we can make things more strict more generally.

@cowtowncoder cowtowncoder mentioned this issue Jan 30, 2021
Closed
@cowtowncoder cowtowncoder changed the title ArrayIndexOutOfBoundsException in CBORParser for invalid UTF-8 String value ArrayIndexOutOfBoundsException in CBORParser for invalid UTF-8 String Jan 30, 2021
cowtowncoder added a commit that referenced this issue Jan 30, 2021
@cowtowncoder
Bit more work for #236 and #240
ab4f329
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cbor
Projects
None yet
Milestone
2.12.2
Development

No branches or pull requests
2 participants
@cowtowncoder @fmeum