Fix #811

Author: cowtowncoder

release-notes/VERSION-2.x

@@ -57,6 +57,8 @@ JSON library.
   with key of ""
 #798: Avoid copy when parsing `BigDecimal`
  (contributed by Philippe M)
+#811: Add explicit bounds checks for `JsonGenerator` methods that take
+  `byte[]`/`char[]`/String-with-offsets input
 
 2.13.3 (14-May-2022)
 

src/main/java/com/fasterxml/jackson/core/json/UTF8JsonGenerator.java

@@ -615,14 +615,15 @@ public final void writeString(SerializableString text) throws IOException
     }
 
     @Override
-    public void writeRawUTF8String(byte[] text, int offset, int length) throws IOException
+    public void writeRawUTF8String(byte[] text, int offset, int len) throws IOException
     {
+        _checkRangeBoundsForByteArray(offset, len, text.length);
         _verifyValueWrite(WRITE_STRING);
         if (_outputTail >= _outputEnd) {
             _flushBuffer();
         }
         _outputBuffer[_outputTail++] = _quoteChar;
-        _writeBytes(text, offset, length);
+        _writeBytes(text, offset, len);
         if (_outputTail >= _outputEnd) {
             _flushBuffer();
         }
@@ -632,6 +633,7 @@ public void writeRawUTF8String(byte[] text, int offset, int length) throws IOExc
     @Override
     public void writeUTF8String(byte[] text, int offset, int len) throws IOException
     {
+        _checkRangeBoundsForByteArray(offset, len, text.length);
         _verifyValueWrite(WRITE_STRING);
         if (_outputTail >= _outputEnd) {
             _flushBuffer();

src/main/java/com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java

@@ -665,6 +665,8 @@ private void writeRawLong(String text) throws IOException
     public void writeBinary(Base64Variant b64variant, byte[] data, int offset, int len)
         throws IOException, JsonGenerationException
     {
+        _checkRangeBoundsForByteArray(offset, len, data.length);
+
         _verifyValueWrite(WRITE_BINARY);
         // Starting quotes
         if (_outputTail >= _outputEnd) {

src/test/java/com/fasterxml/jackson/core/write/GeneratorBoundsChecksTest.java

@@ -54,17 +54,38 @@ public void call(JsonGenerator g, byte[] data, int offset, int len) throws Excep
             g.writeBinary(data, offset, len);
         }
     };
-    
+
+    private final ByteBackedOperation WRITE_RAW_UTF8_FROM_BYTES = new ByteBackedOperation() {
+        @Override
+        public void call(JsonGenerator g, byte[] data, int offset, int len) throws Exception {
+            g.writeRawUTF8String(data, offset, len);
+        }
+    };
+
+    private final ByteBackedOperation WRITE_UTF8_STRING_FROM_BYTES = new ByteBackedOperation() {
+        @Override
+        public void call(JsonGenerator g, byte[] data, int offset, int len) throws Exception {
+            g.writeUTF8String(data, offset, len);
+        }
+    };
+
     public void testBoundsWithByteArrayInputFromBytes() throws Exception {
-//        _testBoundsWithByteArrayInput(BYTE_GENERATOR_CREATOR);
+        _testBoundsWithByteArrayInput(BYTE_GENERATOR_CREATOR, true);
     }
 
     public void testBoundsWithByteArrayInputFromChars() throws Exception {
-//        _testBoundsWithByteArrayInput(CHAR_GENERATOR_CREATOR);
+        _testBoundsWithByteArrayInput(CHAR_GENERATOR_CREATOR, false);
     }
 
-    private void _testBoundsWithByteArrayInput(GeneratorCreator genc) throws Exception {
+    private void _testBoundsWithByteArrayInput(GeneratorCreator genc, boolean byteBacked)
+            throws Exception {
         _testBoundsWithByteArrayInput(genc, WRITE_BINARY_FROM_BYTES);
+        // NOTE: byte[] writes of pre-encoded UTF-8 not supported for Writer-backed
+        // generator, so:
+        if (byteBacked) {
+            _testBoundsWithByteArrayInput(genc, WRITE_RAW_UTF8_FROM_BYTES);
+            _testBoundsWithByteArrayInput(genc, WRITE_UTF8_STRING_FROM_BYTES);
+        }
     }
 
     private void _testBoundsWithByteArrayInput(GeneratorCreator genc,
@@ -83,7 +104,7 @@ private void _testBoundsWithByteArrayInput(GeneratorCreator genc,
             } catch (StreamWriteException e) {
                 verifyException(e, "Invalid 'offset'");
                 verifyException(e, "'len'");
-                verifyException(e, "arguments for String of length "+data.length);
+                verifyException(e, "arguments for `byte[]` of length "+data.length);
             }
         }
     }
@@ -96,7 +117,21 @@ private void _testBoundsWithByteArrayInput(GeneratorCreator genc,
 
     // // // Individual generator calls to check, char[]-backed
 
+    private final CharBackedOperation WRITE_NUMBER_FROM_CHARS = new CharBackedOperation() {
+        @Override
+        public void call(JsonGenerator g, char[] data, int offset, int len) throws Exception {
+            g.writeNumber(data, offset, len);
+        }
+    };
+
     private final CharBackedOperation WRITE_RAW_FROM_CHARS = new CharBackedOperation() {
+        @Override
+        public void call(JsonGenerator g, char[] data, int offset, int len) throws Exception {
+            g.writeRaw(data, offset, len);
+        }
+    };
+
+    private final CharBackedOperation WRITE_RAWVALUE_FROM_CHARS = new CharBackedOperation() {
         @Override
         public void call(JsonGenerator g, char[] data, int offset, int len) throws Exception {
             g.writeRawValue(data, offset, len);
@@ -112,7 +147,9 @@ public void testBoundsWithCharArrayInputFromChars() throws Exception {
     }
 
     private void _testBoundsWithCharArrayInput(GeneratorCreator genc) throws Exception {
+        _testBoundsWithCharArrayInput(genc, WRITE_NUMBER_FROM_CHARS);
         _testBoundsWithCharArrayInput(genc, WRITE_RAW_FROM_CHARS);
+        _testBoundsWithCharArrayInput(genc, WRITE_RAWVALUE_FROM_CHARS);
     }
 
     private void _testBoundsWithCharArrayInput(GeneratorCreator genc,