The CBORParser::nextToken() method relies on the integer index _inputPtr to read the next character from the provided input byte array. In some cases, if the provided input byte array is malformed and contains negative bytes, that negative could be used as the new value for the _inputPtr. If the negative _inputPtr is used as an index for later access to the byte array, an unexpected IndexOutOfBoundsException is thrown because a negative index is used.
@Override
public JsonToken nextToken() throws IOException
{
...
if (_inputPtr >= _inputEnd) {
if (!loadMore()) {
return _eofAsNextToken();
}
}
int ch = _inputBuffer[_inputPtr++] & 0xFF;
...
The suggested fix is to add a negative checking before the use of _inputPtr. It is shown that there is already a check in the method to ensure _inputPtr is not larger than or equal to the _inputEnd, but there is no check to confirm that _inputPtr is not negative. The suggested fix is to add a negative check to ensure the retrieved _inputPtr is not negative before use.
The
CBORParser::nextToken()method relies on the integer index_inputPtrto read the next character from the provided input byte array. In some cases, if the provided input byte array is malformed and contains negative bytes, that negative could be used as the new value for the_inputPtr. If the negative_inputPtris used as an index for later access to the byte array, an unexpectedIndexOutOfBoundsExceptionis thrown because a negative index is used.The suggested fix is to add a negative checking before the use of
_inputPtr. It is shown that there is already a check in the method to ensure_inputPtris not larger than or equal to the_inputEnd, but there is no check to confirm that_inputPtris not negative. The suggested fix is to add a negative check to ensure the retrieved_inputPtris not negative before use.We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65617.