Adds a check for overflow when reading VarUInts.

amazon-ion · Mar 14, 2024 · 04ccdea · 04ccdea
1 parent 23a9346
commit 04ccdea
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/main/java/com/amazon/ion/impl/IonCursorBinary.java b/src/main/java/com/amazon/ion/impl/IonCursorBinary.java
@@ -746,6 +746,9 @@ private long uncheckedReadVarUInt_1_0(byte currentByte) {
             currentByte = buffer[(int) (peekIndex++)];
             result = (result << VALUE_BITS_PER_VARUINT_BYTE) | (currentByte & LOWER_SEVEN_BITS_BITMASK);
         } while (currentByte >= 0);
+        if (result < 0) {
+            throw new IonException("Found a VarUInt that was too large to fit in a `long`");
+        }
         return result;
     }
 

diff --git a/src/test/java/com/amazon/ion/impl/IonReaderContinuableCoreBinaryTest.java b/src/test/java/com/amazon/ion/impl/IonReaderContinuableCoreBinaryTest.java
@@ -498,6 +498,19 @@ public void expectLobWithOverflowingEndIndexToFailCleanly(boolean constructFromB
         reader.close();
     }
 
+    @Test
+    public void expectLobWithOverflowingLengthToFailCleanly() {
+        IonReaderContinuableCoreBinary reader = initializeReader(
+            true,
+            0xE0, 0x01, 0x00, 0xEA, // IVM
+            0x9E, // clob with length VarUInt
+            0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0xFF, // 10-byte VarUInt with value that exceeds Long.MAX_VALUE
+            0x00 // The first byte of the clob
+        );
+        assertThrows(IonException.class, reader::nextValue);
+        reader.close();
+    }
+
     @Test
     public void expectIncompleteContainerToFailCleanlyAfterFieldSid() {
         IonReaderContinuableCoreBinary reader = initializeReader(