Skip to content

SmileParser throws unexpected IOOBE for corrupt content #426

New issue
New issue
Closed
Closed
SmileParser throws unexpected IOOBE for corrupt content#426
Labels
fuzzIssue found by OssFuzzhas-failing-testIndicates that there exists a test case (under `failing/`) to reproduce the issuesmile
Milestone
2.17.0
@arthurscchan

Description

@arthurscchan
arthurscchan
opened on Dec 18, 2023

In the SmileParser::nextTextValue() method, there is a line that uses the Integer ptr as an index to retrieve a byte from the _inputBuffer. But it is found that with some invalid input and repeat calling to the SmileParser::nextTextValue() method, it could cause ptr to be negative and trigger an unexpected ArrayIndexOutOfBoundsException.

     public String nextTextValue() throws IOException
    {
       ...
            int ptr = _inputPtr;
            if (ptr >= _inputEnd) {
               ...
            }
            _tokenOffsetForTotal = ptr;
            int ch = _inputBuffer[ptr++] & 0xFF;
       ...

The simplest fix is to add a bound check for the ptr before using it as the array index.

We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65126.

Metadata

Metadata

Assignees

No one assigned

    Labels

    fuzzIssue found by OssFuzzhas-failing-testIndicates that there exists a test case (under `failing/`) to reproduce the issuesmile

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions