Following #417, it is discovered that more methods from IonReader could throw an unexpected AssertionError. From #417, it is known that IonReader::stringValue() which is served by an Amazon implementation of IonReaderTextSystemX will throw AssertionError when the resolved symbol id is 0 or negative. Although it has been caught by the direct call from the IonParser::getText() method, it is found that the call to IonReader::next() from IonParser.nextToken() will also invoke IonReader::stringValue() in some cases and cause unexpected AssertionError.
@Override
public JsonToken nextToken() throws IOException
{
// special case: if we return field name, we know value type, return it:
if (_currToken == JsonToken.FIELD_NAME) {
return (_currToken = _valueToken);
}
// also, when starting array/object, need to create new context
if (_currToken == JsonToken.START_OBJECT) {
_parsingContext = _parsingContext.createChildObjectContext(-1, -1);
_reader.stepIn();
} else if (_currToken == JsonToken.START_ARRAY) {
_parsingContext = _parsingContext.createChildArrayContext(-1, -1);
_reader.stepIn();
}
// any more tokens in this scope?
IonType type = null;
try {
type = _reader.next();
...
The fix is similar to #418, to catch and wrap the AssertionError.
Following #417, it is discovered that more methods from
IonReadercould throw an unexpectedAssertionError. From #417, it is known thatIonReader::stringValue()which is served by an Amazon implementation ofIonReaderTextSystemXwill throwAssertionErrorwhen the resolved symbol id is 0 or negative. Although it has been caught by the direct call from theIonParser::getText()method, it is found that the call toIonReader::next()fromIonParser.nextToken()will also invokeIonReader::stringValue()in some cases and cause unexpectedAssertionError.The fix is similar to #418, to catch and wrap the
AssertionError.We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65273.