From 768db58ee0e3e344fcdb574b7629765308a1d0af Mon Sep 17 00:00:00 2001 From: urielch Date: Sun, 4 Apr 2021 16:27:46 +0300 Subject: [PATCH] fix CVE-2021-27568 in 2 packages --- json-smart-mini/pom.xml | 2 +- .../minidev/json/parser/JSONParserStream.java | 16 ++++++++++++---- json-smart/pom.xml | 2 +- .../net/minidev/json/parser/JSONParserBase.java | 6 +----- parent/pom.xml | 4 ++-- 5 files changed, 17 insertions(+), 13 deletions(-) diff --git a/json-smart-mini/pom.xml b/json-smart-mini/pom.xml index 9278a55..2395f8c 100644 --- a/json-smart-mini/pom.xml +++ b/json-smart-mini/pom.xml @@ -9,7 +9,7 @@ net.minidev parent - 1.0.9-1 + 1.3.2 ../parent/pom.xml diff --git a/json-smart-mini/src/main/java/net/minidev/json/parser/JSONParserStream.java b/json-smart-mini/src/main/java/net/minidev/json/parser/JSONParserStream.java index ec413cd..881abb4 100644 --- a/json-smart-mini/src/main/java/net/minidev/json/parser/JSONParserStream.java +++ b/json-smart-mini/src/main/java/net/minidev/json/parser/JSONParserStream.java @@ -250,9 +250,13 @@ private Object readNumber(boolean[] stop) throws ParseException, IOException { return sb.toString().trim(); } String num = sb.toString().trim(); - if (num.length() > 18) // follow JSjonIJ parssing methode - return new BigDecimal(num); - return Double.parseDouble(num); + try { + if (num.length() > 18) // follow JSjonIJ parssing methode + return new BigDecimal(num); + return Double.parseDouble(num); + } catch (NumberFormatException e) { + throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs); + } } sb.append('E'); read(); @@ -266,7 +270,11 @@ private Object readNumber(boolean[] stop) throws ParseException, IOException { skipNQString(stop); return sb.toString().trim(); } - return Double.parseDouble(sb.toString().trim()); + try { + return Double.parseDouble(sb.toString().trim()); + } catch (NumberFormatException e) { + throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs); + } } else { skipNQString(stop); return sb.toString().trim(); diff --git a/json-smart/pom.xml b/json-smart/pom.xml index 70349dd..6cb535e 100644 --- a/json-smart/pom.xml +++ b/json-smart/pom.xml @@ -10,7 +10,7 @@ net.minidev parent - 1.3.1 + 1.3.2 ../parent/pom.xml diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java index 8c5373d..a7254c7 100644 --- a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java +++ b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java @@ -134,17 +134,13 @@ public void checkLeadinZero() throws ParseException { protected Number extractFloat() throws ParseException { if (!acceptLeadinZero) checkLeadinZero(); - try { if (!useHiPrecisionFloat) return Float.parseFloat(xs); - if (xs.length() > 18) // follow JSonIJ parsing method return new BigDecimal(xs); - return Double.parseDouble(xs); - - } catch(NumberFormatException e){ + } catch(NumberFormatException e) { throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs); } } diff --git a/parent/pom.xml b/parent/pom.xml index 8c5bbfe..8541507 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -3,7 +3,7 @@ 4.0.0 net.minidev parent - 1.3.1 + 1.3.2 Minidev public super pom minidev common properties. pom @@ -25,7 +25,7 @@ uriel Uriel Chemouni uchemouni@gmail.com - GMT+1 + GMT+3