Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.1.12
-
None
-
None
Description
There seems to be a bug within the JsonStreamParserImpl that is allowed in part by how it is configured within TomEE. Currently TomEE configures it with a maximum string length limit of 8192 bytes by default. It seems that escape characters (with backslash) do not properly count towards the total length when the string is validated, so it escapes validation.
To replicate, put the attached file "bad.json" in your user directory and run this.
@Test public void parseEscapeCharacters() throws IOException { File bad = new File(System.getProperty("user.dir")+"/bad.json"); byte[] badbytes = Files.readAllBytes(bad.toPath()); String test = new String(badbytes, StandardCharsets.UTF_8); int len = 8192; BufferStrategy.BufferProvider<char[]> bs = BufferStrategy.QUEUE.newCharProvider(len); InputStream stream = new ByteArrayInputStream(test.getBytes(StandardCharsets.UTF_8)); JsonStreamParserImpl impl = new JsonStreamParserImpl(stream, len, bs, bs, false); while (impl.hasNext()) impl.next(); }
Results in
java.lang.ArrayIndexOutOfBoundsException: 8192 at org.apache.johnzon.core.JsonStreamParserImpl.appendToCopyBuffer(JsonStreamParserImpl.java:158) at org.apache.johnzon.core.JsonStreamParserImpl.readString(JsonStreamParserImpl.java:592) at org.apache.johnzon.core.JsonStreamParserImpl.handleQuote(JsonStreamParserImpl.java:695) at org.apache.johnzon.core.JsonStreamParserImpl.next(JsonStreamParserImpl.java:440) at org.apache.johnzon.core.JsonStreamParserImpl.next(JsonStreamParserImpl.java:400) at zzz.parseEscapeCharacters(zzz.java:818)