cowtowncoder
commented
9 months ago The problem here is that this might not be directly due to anything within nextTextValue() itself but (possibly) in preceding steps. So it is necessary to see the sequence of things that lead to the problematic state, in which call to nextTextValue() (and likely other calls) would fail.
Unfortunately I don't think nextTextValue() can truly validate offset at that point, but rather whatever lead to invalid value needs to be fixed
(specifically: just because offset is within valid buffer does not mean it might not be corrupt -- it being off the buffer does indicate it is invalid, of course, but the goal is prevent the problem where it occurs).
It is very likely that this requires an invalid document being read; but it may also rely on specific accessors/iteration methods being called.
In the
SmileParser::nextTextValue()method, there is a line that uses the Integerptras an index to retrieve a byte from the_inputBuffer. But it is found that with some invalid input and repeat calling to theSmileParser::nextTextValue()method, it could cause ptr to be negative and trigger an unexpectedArrayIndexOutOfBoundsException.The simplest fix is to add a bound check for the ptr before using it as the array index.
We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65126.