Fixes for #426: Add bound check for array index (#427)

Author: arthurscchan

release-notes/CREDITS-2.x

@@ -284,9 +284,11 @@ Simon Daudin (@simondaudin)
 Arthur Chan (@arthurscchan)
  * Contributed #417: (ion) `IonReader` classes contain assert statement which could throw
    unexpected `AssertionError`
- (2.17.0)
+  (2.17.0)
  * Contributed #420: (ion) `IndexOutOfBoundsException` thrown by `IonReader` implementations
- (2.17.0)
+  (2.17.0)
  * Contributed #424: (ion) `IonReader` throws `NullPointerException` for unchecked
    invalid data
- (2.17.0)
+  (2.17.0)
+ * Contributed #426: (smile) `SmileParser` throws unexpected IOOBE for corrupt content
+  (2.17.0)

release-notes/VERSION-2.x

@@ -18,12 +18,14 @@ Active maintainers:
 
 #417: (ion) `IonReader` classes contain assert statement which could throw
   unexpected `AssertionError`
- (contributed by Arthur C)
+ (fix contributed by Arthur C)
 #420: (ion) `IndexOutOfBoundsException` thrown by `IonReader` implementations
   are not handled 
- (contributed by Arthur C)
+ (fix contributed by Arthur C)
 #424: (ion) `IonReader` throws `NullPointerException` for unchecked invalid data
- (contributed by Arthur C)
+ (fix contributed by Arthur C)
+#426: (smile) `SmileParser` throws unexpected IOOBE for corrupt content
+ (fix contributed by Arthur C)
 -(ion) Update `com.amazon.ion:ion-java` to 1.11.0 (from 1.10.5)
 
 2.16.0 (15-Nov-2023)

smile/src/main/java/com/fasterxml/jackson/dataformat/smile/SmileParser.java

@@ -2893,6 +2893,11 @@ protected void _skipIncomplete() throws IOException
 
     protected void _skipBytes(int len) throws IOException
     {
+        // 18-Dec-2023, tatu: Sanity check related to some OSS-Fuzz findings:
+        if (len < 0) {
+            throw _constructReadException("Internal error: _skipBytes() called with negative value: %d",
+                    len);
+        }
         while (true) {
             int toAdd = Math.min(len, _inputEnd - _inputPtr);
             _inputPtr += toAdd;
@@ -2914,6 +2919,15 @@ protected void _skip7BitBinary() throws IOException
         // Ok; 8 encoded bytes for 7 payload bytes first
         int chunks = origBytes / 7;
         int encBytes = chunks * 8;
+
+        // sanity check: not all length markers valid; due to signed int(32)
+        // calculations maximum length only 7/8 of 2^31
+        if (encBytes < 0) {
+            throw _constructReadException(
+                    "Invalid content: invalid 7-bit binary encoded byte length (0x%X) exceeds maximum valid value",
+                    origBytes);
+        }
+        
         // and for last 0 - 6 bytes, last+1 (except none if no leftovers)
         origBytes -= 7 * chunks;
         if (origBytes > 0) {

smile/src/test/java/com/fasterxml/jackson/dataformat/smile/fuzz/Fuzz_426_65126IOOBETest.java

@@ -0,0 +1,28 @@
+package com.fasterxml.jackson.dataformat.smile.fuzz;
+
+import com.fasterxml.jackson.core.*;
+import com.fasterxml.jackson.core.exc.StreamReadException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+import com.fasterxml.jackson.dataformat.smile.BaseTestForSmile;
+
+public class Fuzz_426_65126IOOBETest extends BaseTestForSmile
+{
+    private final ObjectMapper MAPPER = smileMapper();
+
+    // [dataformats-binary#426]
+    public void testInvalidIOOBE() throws Exception
+    {
+        final byte[] input = readResource("/data/clusterfuzz-smile-65126.smile");
+        try (JsonParser p = MAPPER.createParser(input)) {
+            assertNull(p.nextTextValue());
+            assertToken(JsonToken.VALUE_EMBEDDED_OBJECT, p.currentToken());
+            try {
+                p.nextTextValue();
+                fail("Should not pass");
+            } catch (StreamReadException e) {
+                verifyException(e, "Invalid content: invalid 7-bit binary encoded byte length");
+            }
+        }
+    }
+}