Uncaught exception in com.fasterxml.jackson.dataformat.cbor.CBORParser._finishShortText
#316
Labels
2.17
cbor
fuzz
Issue found by OssFuzz
has-failing-test
Indicates that there exists a test case (under `failing/`) to reproduce the issue
Comments
cowtowncoder
added
cbor
fuzz
cowtowncoder
added a commit
that referenced
this issue
Mar 19, 2022
cowtowncoder
changed the title
com.fasterxml.jackson.dataformat.cbor.CBORParser._finishShortText
|
Was fixed earlier, forgot to close the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Another OSSFuzz found issue (see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35979), for which we have a unit test to reproduce (see
Fuzz_35979_StringValueTest) but no fix yet.Input content with 296 bytes (resource
/data/clusterfuzz-cbor-35979.cbor) used to trigger a corner condition for 256 bytes (getArrayIndexOutOfBoundsException): not a security issue but inconvenience when caller may get something other thanJsonProcessingException.Note that input itself is invalid (not valid CBOR, that is); but it should produce properly typed exception upon decoding; not AIOOBE.
More specifically the issue is that the last byte indicates a multi-byte UTF-8 character, but without following bytes: for example, indicating "short" String of 256 bytes encoded, byte at the very last offset indicates it is the starting byte of, say, 3-byte character. Current code does not verify that there are enough bytes left but blindly accesses following 2 bytes (beyond end). So while it would be easy to avoid AIOOBE itself (just add padding of 3 bytes to cover all possible cases), it is important for decoder to actually apply bounds checks to avoid the issue.
The text was updated successfully, but these errors were encountered: