From f5ca68f617c488b98ebb13e83380ca90d8ef7dd2 Mon Sep 17 00:00:00 2001 From: "Taro L. Saito" Date: Sun, 14 Feb 2021 12:37:24 -0800 Subject: [PATCH 1/2] Fixes #544: Fix a bug in reading EXT32 with 2GB size --- .../org/msgpack/core/MessageUnpacker.java | 8 +++++++- .../msgpack/core/InvalidDataReadTest.scala | 20 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala diff --git a/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java b/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java index cd0c44dec..7763ccc57 100644 --- a/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java +++ b/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java @@ -553,7 +553,10 @@ public void skipValue(int count) skipPayload(readNextLength16() + 1); break; case EXT32: - skipPayload(readNextLength32() + 1); + int extLen = readNextLength32(); + // Skip the first ext type header (1-byte) first in case ext length is Integer.MAX_VALUE + skipPayload(1); + skipPayload(extLen); break; case ARRAY16: count += readNextLength16(); @@ -1474,6 +1477,9 @@ public int unpackBinaryHeader() private void skipPayload(int numBytes) throws IOException { + if (numBytes < 0) { + throw new IllegalArgumentException("payload size must be >= 0: " + numBytes); + } while (true) { int bufferRemaining = buffer.size() - position; if (bufferRemaining >= numBytes) { diff --git a/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala new file mode 100644 index 000000000..201ac18fe --- /dev/null +++ b/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala @@ -0,0 +1,20 @@ +package org.msgpack.core + +/** + * + */ +class InvalidDataReadTest extends MessagePackSpec { + + "Reading long EXT32" in { + val msgpack = createMessagePackData(p => p.packExtensionTypeHeader(MessagePack.Code.EXT32, Int.MaxValue)) + val u = MessagePack.newDefaultUnpacker(msgpack) + try { + intercept[MessageInsufficientBufferException] { + u.skipValue() + } + } + finally { + u.close() + } + } +} From a04ddb530068a2da6eb740e8e8218bd978a0e3a8 Mon Sep 17 00:00:00 2001 From: "Taro L. Saito" Date: Mon, 15 Feb 2021 11:19:46 -0800 Subject: [PATCH 2/2] Add comment --- .../src/test/scala/org/msgpack/core/InvalidDataReadTest.scala | 3 +++ 1 file changed, 3 insertions(+) diff --git a/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala index 201ac18fe..4950da82a 100644 --- a/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala +++ b/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala @@ -6,9 +6,12 @@ package org.msgpack.core class InvalidDataReadTest extends MessagePackSpec { "Reading long EXT32" in { + // Prepare an EXT32 data with 2GB (Int.MaxValue size) payload for testing the behavior of MessageUnpacker.skipValue() + // Actually preparing 2GB of data, however, is too much for CI, so we create only the header part. val msgpack = createMessagePackData(p => p.packExtensionTypeHeader(MessagePack.Code.EXT32, Int.MaxValue)) val u = MessagePack.newDefaultUnpacker(msgpack) try { + // This error will be thrown after reading the header as the input has no EXT32 body intercept[MessageInsufficientBufferException] { u.skipValue() }