fix: illegal array to cause OOM for #1717

Signed-off-by: Kraity <kraty@krait.cn>
alibaba · Aug 6, 2023 · 09c3e04 · 09c3e04
1 parent 9898571
commit 09c3e04
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 32 deletions.
diff --git a/core/src/main/java/com/alibaba/fastjson2/JSONReader.java b/core/src/main/java/com/alibaba/fastjson2/JSONReader.java
@@ -2376,19 +2376,19 @@ public List readArray(Type itemType) {
             return null;
         }
 
-        List list = new ArrayList();
         if (!nextIfArrayStart()) {
             throw new JSONException(info("syntax error : " + ch));
         }
 
         boolean fieldBased = (context.features & Feature.FieldBased.mask) != 0;
         ObjectReader objectReader = context.provider.getObjectReader(itemType, fieldBased);
 
-        while (!nextIfArrayEnd()) {
-            Object item = objectReader.readObject(this, null, null, 0);
-            list.add(item);
+        List list = new ArrayList();
+        for (Object item; !nextIfArrayEnd(); list.add(item)) {
+            int mark = offset;
+            item = objectReader.readObject(this, null, null, 0);
 
-            if (ch == '}' || ch == EOI) {
+            if (mark == offset || ch == '}' || ch == EOI) {
                 throw new JSONException("illegal input : " + ch + ", offset " + getOffset());
             }
         }
@@ -2405,24 +2405,26 @@ public List readList(Type[] types) {
             return null;
         }
 
-        List list = new ArrayList(types.length);
         if (!nextIfArrayStart()) {
             throw new JSONException("syntax error : " + ch);
         }
 
-        for (int i = 0; ; ++i) {
-            if (nextIfArrayEnd()) {
-                break;
-            }
-            Type itemType = types[i];
-            Object item = read(itemType);
-            list.add(item);
+        int i = 0, max = types.length;
+        List list = new ArrayList(max);
+
+        for (Object item; !nextIfArrayEnd() && i < max; list.add(item)) {
+            int mark = offset;
+            item = read(types[i++]);
 
-            if (ch == '}' || ch == EOI) {
+            if (mark == offset || ch == '}' || ch == EOI) {
                 throw new JSONException("illegal input : " + ch + ", offset " + getOffset());
             }
         }
 
+        if (i != max) {
+            throw new JSONException(info("element length mismatch"));
+        }
+
         if (comma = (ch == ',')) {
             next();
         }
@@ -2439,30 +2441,26 @@ public final Object[] readArray(Type[] types) {
             throw new JSONException(info("syntax error"));
         }
 
-        boolean arrayEnd = false;
-        Object[] list = new Object[types.length];
-        for (int i = 0; i < types.length; i++) {
-            if (i != 0) {
-                if (nextIfArrayEnd()) {
-                    arrayEnd = true;
-                    break;
-                } else if (isEnd()) {
-                    break;
-                }
-            }
+        int i = 0, max = types.length;
+        Object[] list = new Object[max];
 
-            Type itemType = types[i];
-            Object item = read(itemType);
-            list[i] = item;
+        for (Object item; !nextIfArrayEnd() && i < max; list[i++] = item) {
+            int mark = offset;
+            item = read(types[i]);
 
-            if (i == types.length - 1) {
-                arrayEnd = true;
+            if (mark == offset || ch == '}' || ch == EOI) {
+                throw new JSONException("illegal input : " + ch + ", offset " + getOffset());
             }
         }
 
-        if (!arrayEnd) {
-            throw new JSONException(info("syntax error"));
+        if (i != max) {
+            throw new JSONException(info("element length mismatch"));
+        }
+
+        if (comma = (ch == ',')) {
+            next();
         }
+
         return list;
     }
 

diff --git a/core/src/test/java/com/alibaba/fastjson2/issues_1700/Issue1717.java b/core/src/test/java/com/alibaba/fastjson2/issues_1700/Issue1717.java
@@ -0,0 +1,27 @@
+package com.alibaba.fastjson2.issues_1700;
+
+import com.alibaba.fastjson2.JSON;
+import com.alibaba.fastjson2.JSONException;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * @author kraity
+ */
+public class Issue1717 {
+    @Test
+    public void test() {
+        assertThrows(JSONException.class, () -> JSON.parseArray("[jia]", int.class));
+        assertThrows(JSONException.class, () -> JSON.parseArray("[jia]", long.class));
+        assertThrows(JSONException.class, () -> JSON.parseArray("[jia]", Long.class));
+        assertThrows(JSONException.class, () -> JSON.parseArray("[jia]", Integer.class));
+        assertThrows(JSONException.class, () -> JSON.parseArray("[jia]", Long.class, Integer.class));
+        assertThrows(JSONException.class, () -> JSON.parseArray("[1,jia]", Long.class, Integer.class));
+
+        assertThrows(JSONException.class, () -> JSON.parseArray("[]", Long.class, Integer.class)); // element length mismatch
+        assertThrows(JSONException.class, () -> JSON.parseArray("[1]", Long.class, Integer.class)); // element length mismatch
+        assertDoesNotThrow(() -> JSON.parseArray("[1,2]", Long.class, Integer.class));
+        assertThrows(JSONException.class, () -> JSON.parseArray("[1,2,3]", Long.class, Integer.class)); // element length mismatch
+    }
+}