Closed cowtowncoder closed 3 years ago
cowtowncoder
commented
3 years ago Hmmmh. Looks like comparing scale to any static limit will not solve the issue since number of trailing zeroes can vary.
Catching exception seems ugly but might be the only way...
fmeum
commented
3 years ago I think catching and not stripping zeros in that case could be sufficiently backwards compatible. It would have the advantage that this would never throw for any representable BigDecimal, which people may rightfully expect given that a default of stripping zeros is a bit arbitrary.
cowtowncoder
commented
3 years ago New fix done in jackson-databind to just catch the exception: since this is continuation of
(note: discovered by https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32579)
Looks like there is an unhandled Overflow for certain types of
BigDecimalvalues fuzzer creates. Would be nice to cleanly handle; but at very least catch exception and rethrow, if need be. Does not immediately appear to be a security related as JDK code reports it based on checks.