Fixes #544: Fix a bug in reading EXT32 with 2GB size (#545)

xerial · web-flow · commit f67b6e5431b2 · 2021-02-16T09:00:53.000-08:00
* Fixes #544: Fix a bug in reading EXT32 with 2GB size * Add comment
diff --git a/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java b/msgpack-core/src/main/java/org/msgpack/core/MessageUnpacker.java
@@ -553,7 +553,10 @@ public void skipValue(int count)
                     skipPayload(readNextLength16() + 1);
                     break;
                 case EXT32:
-                    skipPayload(readNextLength32() + 1);
+                    int extLen = readNextLength32();
+                    // Skip the first ext type header (1-byte) first in case ext length is Integer.MAX_VALUE
+                    skipPayload(1);
+                    skipPayload(extLen);
                     break;
                 case ARRAY16:
                     count += readNextLength16();
@@ -1474,6 +1477,9 @@ public int unpackBinaryHeader()
     private void skipPayload(int numBytes)
             throws IOException
     {
+        if (numBytes < 0) {
+            throw new IllegalArgumentException("payload size must be >= 0: " + numBytes);
+        }
         while (true) {
             int bufferRemaining = buffer.size() - position;
             if (bufferRemaining >= numBytes) {
diff --git a/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala b/msgpack-core/src/test/scala/org/msgpack/core/InvalidDataReadTest.scala
@@ -0,0 +1,23 @@
+package org.msgpack.core
+
+/**
+ *
+ */
+class InvalidDataReadTest extends MessagePackSpec {
+
+  "Reading long EXT32" in {
+      // Prepare an EXT32 data with 2GB (Int.MaxValue size) payload for testing the behavior of MessageUnpacker.skipValue()
+      // Actually preparing 2GB of data, however, is too much for CI, so we create only the header part.
+      val msgpack = createMessagePackData(p => p.packExtensionTypeHeader(MessagePack.Code.EXT32, Int.MaxValue))
+      val u = MessagePack.newDefaultUnpacker(msgpack)
+      try {
+        // This error will be thrown after reading the header as the input has no EXT32 body
+        intercept[MessageInsufficientBufferException] {
+          u.skipValue()
+        }
+      }
+      finally  {
+        u.close()
+      }
+  }
+}
