More coverage wrt #811, improved checks

Author: cowtowncoder

src/main/java/com/fasterxml/jackson/core/base/GeneratorBase.java

@@ -497,4 +497,60 @@ protected final int _decodeSurrogate(int surr1, int surr2) throws IOException
         int c = 0x10000 + ((surr1 - SURR1_FIRST) << 10) + (surr2 - SURR2_FIRST);
         return c;
     }
+
+    /*
+    /**********************************************************************
+    /* Helper methods for validating parameters
+    /**********************************************************************
+     */
+
+    // @since 2.14
+    protected void _checkRangeBoundsForByteArray(int offset, int len, int dataLen)
+        throws IOException
+    {
+        final int end = offset+len;
+
+        // Note: we are checking that:
+        //
+        // !(offset < 0)
+        // !(len < 0)
+        // !((offset + len) < 0) // int overflow!
+        // !((offset + len) > dataLen) == !((datalen - (offset+len)) < 0)
+
+        // All can be optimized by OR'ing and checking for negative:
+        int anyNegs = offset | len | end | (dataLen - end);
+        if (anyNegs < 0) {
+            _reportError(String.format(
+"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `byte[]` of length %d",
+offset, len, dataLen));
+        }
+    }
+
+    // @since 2.14
+    protected void _checkRangeBoundsForCharArray(int offset, int len, int dataLen)
+        throws IOException
+    {
+        final int end = offset+len;
+        // Note: we are checking same things as with other bounds-checks
+        int anyNegs = offset | len | end | (dataLen - end);
+        if (anyNegs < 0) {
+            _reportError(String.format(
+"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `char[]` of length %d",
+offset, len, dataLen));
+        }
+    }
+
+    // @since 2.14
+    protected void _checkRangeBoundsForString(int offset, int len, int dataLen)
+        throws IOException
+    {
+        final int end = offset+len;
+        // Note: we are checking same things as with other bounds-checks
+        int anyNegs = offset | len | end | (dataLen - end);
+        if (anyNegs < 0) {
+            _reportError(String.format(
+"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `String` of length %d",
+offset, len, dataLen));
+        }
+    }
 }

src/main/java/com/fasterxml/jackson/core/json/JsonGeneratorImpl.java

@@ -248,54 +248,4 @@ protected void _reportCantWriteValueExpectName(String typeMsg) throws IOExceptio
         _reportError(String.format("Can not %s, expecting field name (context: %s)",
                 typeMsg, _writeContext.typeDesc()));
     }
-
-    // @since 2.14
-    protected void _checkRangeBoundsForByteArray(int offset, int len, int dataLen)
-        throws IOException
-    {
-        final int end = offset+len;
-
-        // Note: we are checking that:
-        //
-        // !(offset < 0)
-        // !(len < 0)
-        // !((offset + len) < 0) // int overflow!
-        // !((offset + len) > dataLen)
-
-        // First 3 can be optimized by OR'ing and checking for negative:
-        int anyNegs = offset | len | end;
-        if ((anyNegs < 0) || (end > dataLen)) {
-            _reportError(String.format(
-"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `byte[]` of length %d",
-offset, len, dataLen));
-        }
-    }
-
-    // @since 2.14
-    protected void _checkRangeBoundsForCharArray(int offset, int len, int dataLen)
-        throws IOException
-    {
-        final int end = offset+len;
-        // Note: we are checking same things as with other bounds-checks
-        int anyNegs = offset | len | end;
-        if ((anyNegs < 0) || (end > dataLen)) {
-            _reportError(String.format(
-"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `char[]` of length %d",
-offset, len, dataLen));
-        }
-    }
-
-    // @since 2.14
-    protected void _checkRangeBoundsForString(int offset, int len, int dataLen)
-        throws IOException
-    {
-        final int end = offset+len;
-        // Note: we are checking same things as with other bounds-checks
-        int anyNegs = offset | len | end;
-        if ((anyNegs < 0) || (end > dataLen)) {
-            _reportError(String.format(
-"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `String` of length %d",
-offset, len, dataLen));
-        }
-    }
 }

src/main/java/com/fasterxml/jackson/core/json/UTF8JsonGenerator.java

@@ -741,14 +741,7 @@ public void writeRawValue(SerializableString text) throws IOException {
     @Override
     public final void writeRaw(char[] cbuf, int offset, int len) throws IOException
     {
-        // 03-Aug-2022, tatu: Maybe need to do bounds checks first (found by Fuzzer)
-        // ... note that "end < 0" may occur with int overflow
-        final int end = offset + len;
-        if ((offset < 0) || (len < 0) || (end < 0) || (end > cbuf.length)) {
-            _reportError(String.format(
-"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `char[]` of length %d",
-offset, len, cbuf.length));
-        }
+        _checkRangeBoundsForCharArray(offset, len, cbuf.length);
 
         // First: if we have 3 x charCount spaces, we know it'll fit just fine
         {

src/main/java/com/fasterxml/jackson/core/json/WriterBasedJsonGenerator.java

@@ -597,14 +597,7 @@ public void writeRaw(SerializableString text) throws IOException {
     @Override
     public void writeRaw(char[] cbuf, int offset, int len) throws IOException
     {
-        // 03-Aug-2022, tatu: Maybe need to do bounds checks first (found by Fuzzer)
-        // ... note that "end < 0" may occur with int overflow
-        final int end = offset + len;
-        if ((offset < 0) || (len < 0) || (end < 0) || (end > cbuf.length)) {
-            _reportError(String.format(
-"Invalid 'offset' (%d) and/or 'len' (%d) arguments for `char[]` of length %d",
-offset, len, cbuf.length));
-        }
+        _checkRangeBoundsForCharArray(offset, len, cbuf.length);
 
         // Only worth buffering if it's a short write?
         if (len < SHORT_WRITE) {

src/test/java/com/fasterxml/jackson/core/write/GeneratorBoundsChecksTest.java

@@ -92,6 +92,12 @@ private void _testBoundsWithByteArrayInput(GeneratorCreator genc,
             ByteBackedOperation oper) throws Exception {
         final byte[] BYTES10 = new byte[10];
         _testBoundsWithByteArrayInput(genc, oper, BYTES10, -1, 1);
+        _testBoundsWithByteArrayInput(genc, oper, BYTES10, 4, -1);
+        _testBoundsWithByteArrayInput(genc, oper, BYTES10, 4, -6);
+        _testBoundsWithByteArrayInput(genc, oper, BYTES10, 9, 5);
+        // and the integer overflow, too
+        _testBoundsWithByteArrayInput(genc, oper, BYTES10, Integer.MAX_VALUE, 4);
+        _testBoundsWithByteArrayInput(genc, oper, BYTES10, Integer.MAX_VALUE, Integer.MAX_VALUE);
     }
 
     private void _testBoundsWithByteArrayInput(GeneratorCreator genc,
@@ -156,6 +162,11 @@ private void _testBoundsWithCharArrayInput(GeneratorCreator genc,
             CharBackedOperation oper) throws Exception {
         final char[] CHARS10 = new char[10];
         _testBoundsWithCharArrayInput(genc, oper, CHARS10, -1, 1);
+        _testBoundsWithCharArrayInput(genc, oper, CHARS10, 4, -1);
+        _testBoundsWithCharArrayInput(genc, oper, CHARS10, 4, -6);
+        _testBoundsWithCharArrayInput(genc, oper, CHARS10, 9, 5);
+        _testBoundsWithCharArrayInput(genc, oper, CHARS10, Integer.MAX_VALUE, 4);
+        _testBoundsWithCharArrayInput(genc, oper, CHARS10, Integer.MAX_VALUE, Integer.MAX_VALUE);
     }
 
     private void _testBoundsWithCharArrayInput(GeneratorCreator genc,
@@ -214,6 +225,11 @@ private void _testBoundsWithStringInput(GeneratorCreator genc,
             StringBackedOperation oper) throws Exception {
         final String STRING10 = new String(new char[10]);
         _testBoundsWithStringInput(genc, oper, STRING10, -1, 1);
+        _testBoundsWithStringInput(genc, oper, STRING10, 4, -1);
+        _testBoundsWithStringInput(genc, oper, STRING10, 4, -6);
+        _testBoundsWithStringInput(genc, oper, STRING10, 9, 5);
+        _testBoundsWithStringInput(genc, oper, STRING10, Integer.MAX_VALUE, 4);
+        _testBoundsWithStringInput(genc, oper, STRING10, Integer.MAX_VALUE, Integer.MAX_VALUE);
     }
 
     private void _testBoundsWithStringInput(GeneratorCreator genc,