Skip to content

Commit

Permalink
Fix one obvious problem with "optimized" solution for #266
Browse files Browse the repository at this point in the history
  • Loading branch information
@cowtowncoder
cowtowncoder committed Mar 30, 2021
1 parent b5aef16 commit d76566b
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 6 deletions.
11 changes: 5 additions & 6 deletions smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1559,7 +1559,7 @@ private final String _decodeShortUnicodeName(int len)
default: // invalid
// Update pointer here to point to (more) correct location
_inputPtr = inPtr;
_reportError("Invalid byte 0x"+Integer.toHexString(i)+" in short Unicode text block");
_reportError(String.format("Invalid byte 0x%02X in short Unicode text block", i));
}
}
outBuf[outPtr++] = (char) i;
Expand Down Expand Up @@ -2365,20 +2365,19 @@ protected final String _decodeShortUnicodeValue(final int byteLen) throws IOExce
final int firstCharOffset = byteLen - (end - inPtr) - 1;
return _reportTruncatedUTF8InString(byteLen, firstCharOffset, i, unitLen);
}
int i2 = inputBuf[inPtr++] & 0x3F;

switch (unitLen) {
case 1:
i = ((i & 0x1F) << 6) | i2;
i = ((i & 0x1F) << 6) | (inputBuf[inPtr++] & 0x3F);
break;
case 2:
i = ((i & 0x0F) << 12)
| (i2 << 6)
| ((inputBuf[inPtr++] & 0x3F) << 6)
| (inputBuf[inPtr++] & 0x3F);
break;
case 3:// trickiest one, need surrogate handling
i = ((i & 0x07) << 18)
| (i2 << 12)
| ((inputBuf[inPtr++] & 0x3F) << 12)
| ((inputBuf[inPtr++] & 0x3F) << 6)
| (inputBuf[inPtr++] & 0x3F);
// note: this is the codepoint value; need to split, too
Expand All @@ -2387,7 +2386,7 @@ protected final String _decodeShortUnicodeValue(final int byteLen) throws IOExce
i = 0xDC00 | (i & 0x3FF);
break;
default: // invalid
_reportError("Invalid byte "+Integer.toHexString(i)+" in short Unicode text block");
_reportError(String.format("Invalid byte 0x%02X in short Unicode text block", i));
}
outBuf[outPtr++] = (char) i;
}
Expand Down
44 changes: 44 additions & 0 deletions .../src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz32654ShortUnicodeTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
package com.fasterxml.jackson.dataformat.smile.fuzz;

import com.fasterxml.jackson.core.*;
import com.fasterxml.jackson.core.exc.StreamReadException;
import com.fasterxml.jackson.databind.ObjectMapper;

import com.fasterxml.jackson.dataformat.smile.BaseTestForSmile;

public class Fuzz32654ShortUnicodeTest extends BaseTestForSmile
{
private final ObjectMapper MAPPER = smileMapper();

// [dataformats-binary#266]
public void testInvalidShortUnicode() throws Exception
{
/*
final byte[] input = new byte[] {
0x3A, 0x29, 0x0A, 0x00, // smile signature
(byte) 0xFA, // START_OBJECT
(byte) 0xC8, // short-unicode-name: 10 bytes (0x8 + 2), 6 chars
(byte) 0xC8, (byte) 0xC8,
(byte) 0xC8, (byte) 0xC8, (byte) 0xC8, 0x00,
0x00, (byte) 0xF3, (byte) 0xA0, (byte) 0x81,
(byte) 0x8A, // short-unicode-value: 12 bytes (0xA + 2)
0x00, 0x01, 0x00,
0x00, 0x00, 0x01, 0x01,
0x00, 0x00, 0x04, (byte) 0xE5,
0x04
};
*/
final byte[] input = readResource("/data/clusterfuzz-smile-32654.smile");
try (JsonParser p = MAPPER.createParser(input)) {
assertToken(JsonToken.START_ARRAY, p.nextToken());
assertToken(JsonToken.VALUE_STRING, p.nextToken());
try {
String text = p.getText();
fail("Should have failed, instead decoded String of "+text.length()+" chars");
} catch (StreamReadException e) {
verifyException(e, "Invalid byte 0xB4 in short Unicode text");
}
}
}
}
7 changes: 7 additions & 0 deletions smile/src/test/resources/data/clusterfuzz-smile-32654.smile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
:)
��:i
4)
1)
z�*)
�����a_)
z�k_N�

0 comments on commit d76566b

Please sign in to comment.