search

FasterXML / jackson-dataformats-binary

Uber-project for standard Jackson binary format backends: avro, cbor, ion, protobuf, smile
Apache License 2.0
310 stars 133 forks source link

Unexpected NullPointerException in `CBORParser` #458

Closed arthurscchan closed 8 months ago

arthurscchan commented 8 months ago

In the CBORParser.convertNumberToBigDecimal() method, there is an invocation of the CBORParser.getText() method which could return a null value when there is no more text left in the input. If the result is null, the code will throw a NullPointerException in the next line when the String::length() method is called. The CBORParser.convertNumberToBigDecimal() method is called by the public API CBORParser::nextDecimalValue(). 

    @Override
    public BigDecimal getDecimalValue() throws IOException
    {
        if ((_numTypesValid & NR_BIGDECIMAL) == 0) {
            if (_numTypesValid == NR_UNKNOWN) {
                _checkNumericValue(NR_BIGDECIMAL);
            }
            if ((_numTypesValid & NR_BIGDECIMAL) == 0) {
                convertNumberToBigDecimal();
            }
        }
        return _numberBigDecimal;
    }
    protected void convertNumberToBigDecimal() throws IOException
    {
        // Note: this MUST start with more accurate representations, since we don't know which
        //  value is the original one (others get generated when requested)
        if ((_numTypesValid & (NR_DOUBLE | NR_FLOAT)) != 0) {
            // Let's parse from String representation, to avoid rounding errors that
            //non-decimal floating operations would incur
            final String text = getText();
            streamReadConstraints().validateFPLength(text.length());
...

The suggested fix is to add a null checking after the invocation of the ICBORParser.getText() method and throw an exception if the return value stored in size is indeed null.

We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65768.