Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13200

Parsing of invalid query yields NPE

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: main (9.0)
    • Fix Version/s: 8.1, main (9.0)
    • Component/s: search
    • Labels:
    • Environment:

      Description

      Requesting the following URL causes Solr to return an HTTP 500 error response:

      http://localhost:8983/solr/films/select?fq={!frange%20l=1%20u=1}map(1)
      

      The error response seems to be caused by the following uncaught exception:

      java.lang.NullPointerException
      at sun.misc.FloatingDecimal.readJavaFormatString(FloatingDecimal.java:1838)
      at sun.misc.FloatingDecimal.parseFloat(FloatingDecimal.java:122)
      at java.lang.Float.parseFloat(Float.java:451)
      at org.apache.solr.search.FunctionQParser.parseFloat(FunctionQParser.java:145)
      at org.apache.solr.search.ValueSourceParser$13.parse(ValueSourceParser.java:242)
      at org.apache.solr.search.FunctionQParser.parseValueSource(FunctionQParser.java:370)
      at org.apache.solr.search.FunctionQParser.parse(FunctionQParser.java:82)
      at org.apache.solr.search.QParser.getQuery(QParser.java:173)
      at org.apache.solr.search.FunctionRangeQParserPlugin$1.parse(FunctionRangeQParserPlugin.java:51)
      at org.apache.solr.search.QParser.getQuery(QParser.java:173)
      at org.apache.solr.handler.component.QueryComponent.prepare(QueryComponent.java:205)
      

      The FunctionQParser.parseFloat function reads as follows:

          String str = parseArg();
          if (argWasQuoted()) throw new SyntaxError("Expected float instead of quoted string:" + str);
          float value = Float.parseFloat(str);
          return value;
      

      But parseArg() is permitted to return null (this is the case when there are no more function arguments), which crashes Float.parseFloat. It may be worth handling the null case explicitly.

      We found this bug using Diffblue Microservices Testing. Find more information on this fuzz testing campaign, where we found ~70 more issues like this one.

        Attachments

        1. home.zip
          376 kB
          Johannes Kloos

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jkloos Johannes Kloos
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: