Fixes #1169: adds test(s), fix (#1170)

release-notes/VERSION-2.x

@@ -18,6 +18,8 @@ a pure JSON library.
 
 #1157: Use fast parser (FDP) for large `BigDecimal`s (500+ chars)
  (contributed by @pjfanning)
+#1169: `ArrayIndexOutOfBoundsException` for specific invalid content,
+  with Reader-based parser
 
 2.16.1 (not yet released)
 

src/main/java/com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java

@@ -1582,8 +1582,7 @@ private final JsonToken _parseNumber2(boolean neg, int startPtr) throws IOExcept
         // This is the place to do leading-zero check(s) too:
         int intLen = 0;
         char c = (_inputPtr < _inputEnd) ? _inputBuffer[_inputPtr++]
-                : getNextChar("No digit following minus sign", JsonToken.VALUE_NUMBER_INT);
-
+                : getNextChar("No digit following sign", JsonToken.VALUE_NUMBER_INT);
         if (c == '0') {
             c = _verifyNoLeadingZeroes();
         }
@@ -1609,7 +1608,7 @@ private final JsonToken _parseNumber2(boolean neg, int startPtr) throws IOExcept
         // Also, integer part is not optional
         if (intLen == 0) {
             // [core#611]: allow optionally leading decimal point
-            if (!isEnabled(JsonReadFeature.ALLOW_LEADING_DECIMAL_POINT_FOR_NUMBERS.mappedFeature())) {
+            if ((c != '.') || !isEnabled(JsonReadFeature.ALLOW_LEADING_DECIMAL_POINT_FOR_NUMBERS.mappedFeature())) {
                 return _handleInvalidNumberStart(c, neg);
             }
         }

src/test/java/com/fasterxml/jackson/core/fuzz/Fuzz61198_1169_NumberParseTest.java

@@ -0,0 +1,50 @@
+package com.fasterxml.jackson.core.fuzz;
+
+import com.fasterxml.jackson.core.*;
+import com.fasterxml.jackson.core.json.JsonReadFeature;
+
+// For
+//
+// * [core#1169],
+// * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61198
+public class Fuzz61198_1169_NumberParseTest extends BaseTest
+{
+    // NOTE! Not enough to enable just first, but both it seem
+    private final JsonFactory JSON_F = JsonFactory.builder()
+            .enable(JsonReadFeature.ALLOW_LEADING_PLUS_SIGN_FOR_NUMBERS)
+            .enable(JsonReadFeature.ALLOW_LEADING_DECIMAL_POINT_FOR_NUMBERS)
+            .build();
+
+    public void testLeadingPlusSignMalformedBytes() throws Exception {
+        _testLeadingPlusMalformed(JSON_F, MODE_INPUT_STREAM);
+        _testLeadingPlusMalformed(JSON_F, MODE_INPUT_STREAM_THROTTLED);
+    }
+
+    public void testLeadingPlusSignMalformedReader() throws Exception {
+        _testLeadingPlusMalformed(JSON_F, MODE_READER);
+        _testLeadingPlusMalformed(JSON_F, MODE_READER_THROTTLED);
+    }
+
+    public void testLeadingPlusSignMalformedOther() throws Exception {
+        _testLeadingPlusMalformed(JSON_F, MODE_DATA_INPUT);
+    }
+
+    private void _testLeadingPlusMalformed(JsonFactory f, int mode) throws Exception
+    {
+        // But also, invalid case:
+        try (JsonParser p = createParser(f, mode, "[ +X  1 ")) {
+            assertToken(JsonToken.START_ARRAY, p.nextToken());
+            try {
+                JsonToken t = p.nextToken();
+                assertToken(JsonToken.VALUE_NUMBER_INT, t);
+                // Either one works:
+//                p.getNumberType();
+                p.getIntValue();
+                fail("Should not pass, got: "+t);
+            } catch (JsonParseException e) {
+                verifyException(e, "Unexpected character ('X' (code 88");
+            }
+        }
+    }
+
+}