Unexpected NumberFormatException in YAMLParser #454
Description
In the YAMLParser::_parseNumericValue() method, there is a call to Integer.parseInt(String) method which parse the _cleanedTextValue string into integer. Since the _cleanedTextValue string is coming from untrusted user input, it could be malformed and make the Integer.parseInt(String) method throws a NumberFormatException. There is no handling of NumberFormatException and thus it will throw directly to the user as an unexpected exception. Also, the call to org.yaml.snakeyaml.parser.ParserImpl::getEvent() also could throw NumberFormatException. That will also cause the same problem as above.
@Override
protected void _parseNumericValue(int expType) throws IOException
{
// Int or float?
if (_currToken == JsonToken.VALUE_NUMBER_INT) {
int len = _cleanedTextValue.length();
if (_numberNegative) {
len--;
}
if (len <= 9) { // definitely fits in int
_numberInt = Integer.parseInt(_cleanedTextValue);
_numTypesValid = NR_INT;
return;
}
... public JsonToken nextToken() throws IOException
{
_currentIsAlias = false;
_binaryValue = null;
if (_closed) {
return null;
}
while (true) {
Event evt;
try {
evt = _yamlParser.getEvent();
,,,The suggested fix is to add a try-catch wrapper to wrap the NumberFormatException with the expected JacksonException to avoid unexpected exceptions thrown to the users.
We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63274 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65855.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63274 is already fixed in #452.