Fixed #263

Author: cowtowncoder

release-notes/CREDITS-2.x

@@ -176,6 +176,8 @@ Fabian Meumertzheim (fmeum@github)
  (2.12.3)
 * Reported #261 (cbor) CBORParser need to validate zero-length byte[] for BigInteger
  (2.12.3)
+* Reported #263 (smile) Handle invalid chunked-binary-format length gracefully
+ (2.12.3)
 
 (jhhladky@github)
 

release-notes/VERSION-2.x

@@ -22,6 +22,8 @@ Modules:
  (reported by Fabian M)
 #261 (cbor) CBORParser need to validate zero-length byte[] for BigInteger 
  (reported by Fabian M)
+#263 (smile) Handle invalid chunked-binary-format length gracefully
+ (reported by Fabian M)
 
 2.12.2 (03-Mar-2021)
 

smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java

@@ -2162,20 +2162,98 @@ private final void _finishBigDecimal() throws IOException
         _numberType = NumberType.BIG_DECIMAL;
     }
 
-    private final int _readUnsignedVInt() throws IOException
+    protected final int _readUnsignedVInt() throws IOException
+    {
+        // 23-Mar-2021, tatu: Let's optimize a bit here: if we have 5 bytes
+        //   available, can avoid further boundary checks
+        if ((_inputPtr + 5) > _inputEnd) {
+            return _readUnsignedVIntSlow();
+        }
+
+        int ch = _inputBuffer[_inputPtr++];
+        if (ch < 0) {
+            return ch & 0x3F;
+        }
+        int value = ch;
+
+        // 2nd byte
+        ch = _inputBuffer[_inputPtr++];
+        if (ch < 0) {
+            return (value << 6) + (ch & 0x3F);
+        }
+        value = (value << 7) + ch;
+
+        // 3rd byte
+        ch = _inputBuffer[_inputPtr++];
+        if (ch < 0) {
+            return (value << 6) + (ch & 0x3F);
+        }
+        value = (value << 7) + ch;
+
+        // 4th byte
+        ch = _inputBuffer[_inputPtr++];
+        if (ch < 0) {
+            return (value << 6) + (ch & 0x3F);
+        }
+        value = (value << 7) + ch;
+
+        // 5th byte
+        ch = _inputBuffer[_inputPtr++];
+        if ((ch >= 0) // invalid, should end
+                // Must validate no overflow, as well. We can have at most 31 bits
+                // for unsigned int, but with 4 x 7 + 6 == 34 we could have 3 "extra" bits;
+                // at this point we have accumulated 28 bits, so shifting right by 25 should
+                // not leave any 1 bits left:
+                || ((value >>> 25) != 0) // overflow in first byte
+                ) {
+            _reportInvalidUnsignedVInt(value >>> 21, ch);
+        }
+        return (value << 6) + (ch & 0x3F);
+    }
+
+    // @since 2.12.3
+    protected final int _readUnsignedVIntSlow() throws IOException
     {
         int value = 0;
-        while (true) {
+        int count = 0;
+
+        // Read first 4 bytes
+        do {
             if (_inputPtr >= _inputEnd) {
                 _loadMoreGuaranteed();
             }
-            int i = _inputBuffer[_inputPtr++];
-            if (i < 0) { // last byte
-                value = (value << 6) + (i & 0x3F);
+            int ch = _inputBuffer[_inputPtr++];
+            if (ch < 0) { // last byte
+                value = (value << 6) + (ch & 0x3F);
                 return value;
             }
-            value = (value << 7) + i;
+            value = (value << 7) + ch;
+        } while (++count < 4);
+
+        // but if we need fifth, require validation
+        if (_inputPtr >= _inputEnd) {
+            _loadMoreGuaranteed();
+        }
+        int ch = _inputBuffer[_inputPtr++];
+        // same validation as in optimized cvase
+        if ((ch >= 0) // invalid, did not end with high-bit set
+                || ((value >>> 25) != 0) // overflow in first byte
+                ) {
+            _reportInvalidUnsignedVInt(value >>> 21, ch);
+        }
+        return (value << 6) + (ch & 0x3F);
+    }
+
+    protected final void _reportInvalidUnsignedVInt(int firstCh, int lastCh) throws IOException
+    {
+        if (lastCh >= 0) {
+            _reportError(
+"Overflow in VInt (current token %s): 5th byte (0x%2X) of 5-byte sequence must have its highest bit set to indicate end",
+currentToken(), lastCh);
         }
+        _reportError(
+"Overflow in VInt (current token %s): 1st byte (0x%2X) of 5-byte sequence must have its top 4 bits zeroes",
+currentToken(), firstCh);
     }
 
     private final byte[] _read7BitBinaryWithLength() throws IOException
@@ -2740,7 +2818,7 @@ protected void _reportInvalidOther(int mask, int ptr) throws JsonParseException
     protected void _reportIncompleteBinaryRead(int expLen, int actLen) throws IOException
     {
         _reportInvalidEOF(String.format(" for Binary value: expected %d bytes, only found %d",
-                expLen, actLen), _currToken);
+                expLen, actLen), currentToken());
     }
 
     /*

smile/src/test/java/com/fasterxml/jackson/dataformat/smile/ParserInternalsTest.java

@@ -0,0 +1,93 @@
+package com.fasterxml.jackson.dataformat.smile;
+
+import java.io.InputStream;
+
+import com.fasterxml.jackson.core.exc.StreamReadException;
+import com.fasterxml.jackson.core.io.IOContext;
+import com.fasterxml.jackson.core.sym.ByteQuadsCanonicalizer;
+import com.fasterxml.jackson.dataformat.smile.testutil.ThrottledInputStream;
+
+public class ParserInternalsTest extends BaseTestForSmile
+{
+    private final ByteQuadsCanonicalizer ROOT_SYMBOLS = ByteQuadsCanonicalizer.createRoot();
+
+    public void testPositiveVIntGoodCases() throws Exception
+    {
+        // First, couple of known good cases
+        _verifyVIntOk(0, new byte[] { (byte) 0x80 });
+        _verifyVIntOk(3, new byte[] { (byte) 0x83 });
+        _verifyVIntOk(Integer.MAX_VALUE, new byte[] {
+                0x0F, 0x7F, 0x7F, 0x7F, (byte) 0xBF
+        });
+    }
+
+    public void testPositiveVIntOverflows() throws Exception
+    {
+        // Bad: ends at 5th, but overflows
+        _verifyVIntBad(new byte[] {
+                (byte) 0x7F, 0x7F, 0x7F, 0x7F, (byte) 0xBF
+        }, "Overflow in VInt", "1st byte (0x7F)"
+        );
+        // Bad: does not end at 5th (and overflows that way)
+        _verifyVIntBad(new byte[] {
+                (byte) 0x7F, 0x7F, 0x7F, 0x7F, (byte) 0x7F
+        }, "Overflow in VInt", "5th byte (0x7F)"
+        );
+    }
+
+    private void _verifyVIntOk(int expValue, byte[] doc) throws Exception
+    {
+        // First, read with no boundaries
+        try (SmileParser p = _minimalParser(doc)) {
+            assertEquals(expValue, p._readUnsignedVInt());
+        }
+
+        // Then incremental read
+        try (SmileParser p = _minimalParser(new ThrottledInputStream(doc, 1))) {
+            assertEquals(expValue, p._readUnsignedVInt());
+        }
+    }
+
+    private void _verifyVIntBad(byte[] doc, String... msgs) throws Exception
+    {
+        // First, read with no boundaries
+        try (SmileParser p = _minimalParser(doc)) {
+            try {
+                int val = p._readUnsignedVInt();
+                fail("Should not pass, got 0x"+Integer.toHexString(val));
+            } catch (StreamReadException e) {
+                verifyException(e, msgs);
+            }
+        }
+
+        // Then incremental read
+        try (SmileParser p = _minimalParser(new ThrottledInputStream(doc, 1))) {
+            try {
+                int val = p._readUnsignedVInt();
+                fail("Should not pass, got 0x"+Integer.toHexString(val));
+            } catch (StreamReadException e) {
+                verifyException(e, msgs);
+            }
+        }
+    }
+    
+    private SmileParser _minimalParser(byte[] doc) {
+        IOContext ctxt = new IOContext(null, doc, false);
+        return new SmileParser(ctxt, // IOContext
+                0, 0, // flags
+                null, // (codec)
+                ROOT_SYMBOLS.makeChild(0), // ByteQuadsCanonicalizer
+                null, // InputStream
+                doc, 0, doc.length, false);
+    }
+
+    private SmileParser _minimalParser(InputStream in) {
+        IOContext ctxt = new IOContext(null, in, false);
+        return new SmileParser(ctxt, // IOContext
+                0, 0, // flags
+                null, // (codec)
+                ROOT_SYMBOLS.makeChild(0), // ByteQuadsCanonicalizer
+                in, // InputStream
+                new byte[1], 0, 0, false);
+    }
+}

smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz32180BinaryTest.java

@@ -8,13 +8,12 @@
 
 import com.fasterxml.jackson.dataformat.smile.BaseTestForSmile;
 
-// For [dataformats-binary#]
+// For [dataformats-binary#260]
 public class Fuzz32180BinaryTest extends BaseTestForSmile
 {
     private final ObjectMapper MAPPER = smileMapper();
 
-    // Payload:
-    public void testInvalidBinary() throws Exception
+    public void testInvalidRawBinary() throws Exception
     {
         final byte[] input0 = new byte[] {
                 0x3A, 0x29, 0x0A, 0x00, // smile signature

smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz32339_7BitBinaryTest.java

@@ -0,0 +1,38 @@
+package com.fasterxml.jackson.dataformat.smile.fuzz;
+
+import java.io.ByteArrayInputStream;
+import java.util.Arrays;
+
+import com.fasterxml.jackson.core.exc.StreamReadException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.smile.BaseTestForSmile;
+
+//For [dataformats-binary#263]
+public class Fuzz32339_7BitBinaryTest extends BaseTestForSmile
+{
+    private final ObjectMapper MAPPER = smileMapper();
+
+    // Payload:
+    public void testInvalid7BitBinary() throws Exception
+    {
+        final byte[] input0 = new byte[] {
+                0x3A, 0x29, 0x0A, 0x00, // smile signature
+                (byte) 0xE8, // binary, 7-bit encoded
+                0x35, 0x20, 0x20,
+                0x20, (byte) 0xFF // 5 byte VInt for 0x7fe4083f (close to Integer.MAX_VALUE)
+        };
+
+        // Let's expand slightly to avoid too early detection, ensure that we are
+        // not only checking completely missing payload or such
+        final byte[] input = Arrays.copyOf(input0, 65 * 1024);
+
+        try (ByteArrayInputStream bytes = new ByteArrayInputStream(input)) {
+            try {
+            /*JsonNode root =*/ MAPPER.readTree(bytes);
+            } catch (StreamReadException e) {
+                verifyException(e, "Overflow in VInt (current token VALUE_EMBEDDED_OBJECT");
+                verifyException(e, "1st byte (0x35)");
+            }
+        }
+    }
+}