Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uncaught validation problem wrt Smile "BigDecimal" type (found by OSS-Fuzzer) #257

Closed
cowtowncoder opened this issue Mar 18, 2021 · 1 comment
Closed

Uncaught validation problem wrt Smile "BigDecimal" type (found by OSS-Fuzzer) #257

cowtowncoder opened this issue Mar 18, 2021 · 1 comment
Labels
fuzz Issue found by OssFuzz smile
Milestone
2.12.3

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 18, 2021
edited
Loading

(note: offshoot of this finding https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32168)

Looks like following 7-byte document encoding a single "BigInteger" value:

0x3A 0x29 0x0A  0x08  // 4 byte header (note, 0x8 specifies unused bit that... maybe should error)
0x2A // Number, BigDecimal
0xFF // scale; zigzag value of -32,
   // HOWEVER, not actually legal as second-most-significant-bit SHOULD be zero
   // (should this be caught, reported?)
   // -- should be 0xBF
0xC0 // length of payload, zigzag of 0 but similarly invalid represention
   // -- should be 0x80

causes an exception within BigInteger, attempting to pass 0-byte array to construct BigInteger (to further create BigDecimal). That is not a valid value and needs to be specifically checked against, reported.
@cowtowncoder
Copy link
Member Author

One change for more robust handling: allow zero-length payload for BigInteger (value, or unscaled part) to represent BigInteger.ZERO and BigDecimal.ZERO respectively. Since rules regarding this particular potential encoding were not spelled out, seems safest to do this instead of exception.

cowtowncoder added a commit that referenced this issue Mar 19, 2021
@cowtowncoder
One minor change wrt #257 to allow zero-length BigInteger represent…
467b8ce 
…ation for BigInteger.ZERO
@cowtowncoder cowtowncoder modified the milestones: 2, 2.12.3 Mar 19, 2021
@cowtowncoder cowtowncoder mentioned this issue Mar 20, 2021
Closed
@cowtowncoder cowtowncoder added the fuzz Issue found by OssFuzz label Apr 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzz Issue found by OssFuzz smile
Projects
None yet
Milestone
2.12.3
Development

No branches or pull requests
1 participant
@cowtowncoder