From 04ccdea5b623698cba4bbdda394c0d312987490a Mon Sep 17 00:00:00 2001
From: Tyler Gregg <greggt@amazon.com>
Date: Thu, 14 Mar 2024 15:26:04 -0700
Subject: [PATCH] Adds a check for overflow when reading VarUInts.

---
 .../java/com/amazon/ion/impl/IonCursorBinary.java   |  3 +++
 .../impl/IonReaderContinuableCoreBinaryTest.java    | 13 +++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/main/java/com/amazon/ion/impl/IonCursorBinary.java b/src/main/java/com/amazon/ion/impl/IonCursorBinary.java
index 3b5f94ca73..4627383098 100644
--- a/src/main/java/com/amazon/ion/impl/IonCursorBinary.java
+++ b/src/main/java/com/amazon/ion/impl/IonCursorBinary.java
@@ -746,6 +746,9 @@ private long uncheckedReadVarUInt_1_0(byte currentByte) {
             currentByte = buffer[(int) (peekIndex++)];
             result = (result << VALUE_BITS_PER_VARUINT_BYTE) | (currentByte & LOWER_SEVEN_BITS_BITMASK);
         } while (currentByte >= 0);
+        if (result < 0) {
+            throw new IonException("Found a VarUInt that was too large to fit in a `long`");
+        }
         return result;
     }
 
diff --git a/src/test/java/com/amazon/ion/impl/IonReaderContinuableCoreBinaryTest.java b/src/test/java/com/amazon/ion/impl/IonReaderContinuableCoreBinaryTest.java
index 92091c599f..91e5ba57ec 100644
--- a/src/test/java/com/amazon/ion/impl/IonReaderContinuableCoreBinaryTest.java
+++ b/src/test/java/com/amazon/ion/impl/IonReaderContinuableCoreBinaryTest.java
@@ -498,6 +498,19 @@ public void expectLobWithOverflowingEndIndexToFailCleanly(boolean constructFromB
         reader.close();
     }
 
+    @Test
+    public void expectLobWithOverflowingLengthToFailCleanly() {
+        IonReaderContinuableCoreBinary reader = initializeReader(
+            true,
+            0xE0, 0x01, 0x00, 0xEA, // IVM
+            0x9E, // clob with length VarUInt
+            0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0x7F, 0xFF, // 10-byte VarUInt with value that exceeds Long.MAX_VALUE
+            0x00 // The first byte of the clob
+        );
+        assertThrows(IonException.class, reader::nextValue);
+        reader.close();
+    }
+
     @Test
     public void expectIncompleteContainerToFailCleanlyAfterFieldSid() {
         IonReaderContinuableCoreBinary reader = initializeReader(