cowtowncoder
commented
10 months ago Was fixed earlier, forgot to close the issue.
Closed cowtowncoder closed 10 months ago
cowtowncoder
commented
10 months ago Was fixed earlier, forgot to close the issue.
Another OSSFuzz found issue (see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35979), for which we have a unit test to reproduce (see
Fuzz_35979_StringValueTest) but no fix yet.Input content with 296 bytes (resource
/data/clusterfuzz-cbor-35979.cbor) used to trigger a corner condition for 256 bytes (getArrayIndexOutOfBoundsException): not a security issue but inconvenience when caller may get something other thanJsonProcessingException.Note that input itself is invalid (not valid CBOR, that is); but it should produce properly typed exception upon decoding; not AIOOBE.
More specifically the issue is that the last byte indicates a multi-byte UTF-8 character, but without following bytes: for example, indicating "short" String of 256 bytes encoded, byte at the very last offset indicates it is the starting byte of, say, 3-byte character. Current code does not verify that there are enough bytes left but blindly accesses following 2 bytes (beyond end). So while it would be easy to avoid AIOOBE itself (just add padding of 3 bytes to cover all possible cases), it is important for decoder to actually apply bounds checks to avoid the issue.