diff --git a/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java b/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java index cd0c44dec..7763ccc57 100644 --- a/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java +++ b/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java @@ -553,7 +553,10 @@ public void skipValue(int count) skipPayload(readNextLength16() + 1); break; case EXT32: - skipPayload(readNextLength32() + 1); + int extLen = readNextLength32(); + // Skip the first ext type header (1-byte) first in case ext length is Integer.MAX_VALUE + skipPayload(1); + skipPayload(extLen); break; case ARRAY16: count += readNextLength16(); @@ -1474,6 +1477,9 @@ public int unpackBinaryHeader() private void skipPayload(int numBytes) throws IOException { + if (numBytes < 0) { + throw new IllegalArgumentException("payload size must be >= 0: " + numBytes); + } while (true) { int bufferRemaining = buffer.size() - position; if (bufferRemaining >= numBytes) { diff --git a/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala new file mode 100644 index 000000000..4950da82a --- /dev/null +++ b/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala @@ -0,0 +1,23 @@ +package org.msgpack.core + +/** + * + */ +class InvalidDataReadTest extends MessagePackSpec { + + "Reading long EXT32" in { + // Prepare an EXT32 data with 2GB (Int.MaxValue size) payload for testing the behavior of MessageUnpacker.skipValue() + // Actually preparing 2GB of data, however, is too much for CI, so we create only the header part. + val msgpack = createMessagePackData(p => p.packExtensionTypeHeader(MessagePack.Code.EXT32, Int.MaxValue)) + val u = MessagePack.newDefaultUnpacker(msgpack) + try { + // This error will be thrown after reading the header as the input has no EXT32 body + intercept[MessageInsufficientBufferException] { + u.skipValue() + } + } + finally { + u.close() + } + } +}