Skip to content

IndexOutOfBoundsException in CBORParser for invalid input #451

New issue
New issue
Closed
Closed
IndexOutOfBoundsException in CBORParser for invalid input#451
Labels
2.17cbor
Milestone
2.17.0
@arthurscchan

Description

@arthurscchan
arthurscchan
opened on Jan 8, 2024

The CBORParser::nextToken() method relies on the integer index _inputPtr to read the next character from the provided input byte array. In some cases, if the provided input byte array is malformed and contains negative bytes, that negative could be used as the new value for the _inputPtr. If the negative _inputPtr is used as an index for later access to the byte array, an unexpected IndexOutOfBoundsException is thrown because a negative index is used.

    @Override
    public JsonToken nextToken() throws IOException
    {
...
        if (_inputPtr >= _inputEnd) {
            if (!loadMore()) {
                return _eofAsNextToken();
            }
        }
        int ch = _inputBuffer[_inputPtr++] & 0xFF;
...

The suggested fix is to add a negative checking before the use of _inputPtr. It is shown that there is already a check in the method to ensure _inputPtr is not larger than or equal to the _inputEnd, but there is no check to confirm that _inputPtr is not negative. The suggested fix is to add a negative check to ensure the retrieved _inputPtr is not negative before use.

We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65617.

Metadata

Metadata

Assignees

No one assigned

    Labels

    2.17cbor

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions