You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@johnzon.apache.org by "Markus Bruckner (JIRA)" <ji...@apache.org> on 2018/07/05 15:13:00 UTC
[jira] [Updated] (JOHNZON-177) Deserialization of numbers can
produce overflows and underflows
[ https://issues.apache.org/jira/browse/JOHNZON-177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Markus Bruckner updated JOHNZON-177:
------------------------------------
Description:
Given the following json:
{code:java}
{
"value": 2147483648
}{code}
and the following dto:
{code:java}
public class IntContainer {
private int value;
public void setValue(int value) { this.value = value; }
public int getValue() { return value; }
}{code}
When I try to parse the json in the dto, the value overflows and is deserialized as negative value (or vice versa, if too large a negative number is used).
Failing test case:
{code:java}
@Test
public void shouldNotAcceptOutOfBoundsValue() {
String json = "{ \"value\": 2147483648 }";
Jsonb jsonb = JsonbProvider.provider().create().build();
IntContainer intContainer = jsonb.fromJson(json, IntContainer.class);
LOG.debug("deserialized value: {}", intContainer.getValue());
Assert.fail("should throw instead of wrapping the value in negative area");
}{code}
Log output is:
{noformat}
SerializationTest deserialized value: -2147483648{noformat}
The expected behavior would probably be an Exception if the number exceeds the bounds of the type of the field that the value should be deserialized into (byte, short, int, or long).
As additional info, because we researched this when confronted with this problem initially (with type int): Applying ijson-strict (rfc7493) doesn't help in this situation since there are values that are allowed by the ijson rfc and still over-/underflow a 32-bit integer (and it would further require us to transmit long values as string).
Boundaries:
* 2147483647 max value of signed 32bit integer
* 9007199254740991 > ijson maxvalue: "senders cannot expect receivers to parse numbers larger than..."
* 9223372036854775807 64b integer
was:
Given the following json:
{code:java}
{
"value": 2147483648
}{code}
and the following dto:
{code:java}
public class IntContainer {
private int value;
public void setValue(int value) { this.value = value; }
public int getValue() { return value; }
}{code}
When I try to parse the json in the dto, the value overflows and is deserialized as negative value (or vice versa, if too large a negative number is used).
Failing test case:
{code:java}
@Test
public void shouldNotAcceptOutOfBoundsValue() {
String json = "{ \"value\": 2147483648 }";
Jsonb jsonb = JsonbProvider.provider().create().build();
IntContainer intContainer = jsonb.fromJson(json, IntContainer.class);
LOG.debug("deserialized value: {}", intContainer.getValue());
Assert.fail("should throw instead of wrapping the value in negative area");
}{code}
Log output is:
{noformat}
SerializationTest deserialized value: -2147483648{noformat}
The expected behavior would probably be an Exception if the number exceeds the bounds of the type of the field that the value should be deserialized into (byte, short, int, or long).
As additional info, because we researched this when confronted with this problem initially (with type int): Applying ijson-strict (rfc7493) doesn't help in this situation since there are values that are allowed by the ijson rfc and still over-/underflow a 32-bit integer (and it would further lead to required use to transmit longs as string).
Boundaries:
* 2147483647 max value of signed 32bit integer
* 9007199254740991 > ijson maxvalue: "senders cannot expect receivers to parse numbers larger than..."
* 9223372036854775807 64b integer
> Deserialization of numbers can produce overflows and underflows
> ---------------------------------------------------------------
>
> Key: JOHNZON-177
> URL: https://issues.apache.org/jira/browse/JOHNZON-177
> Project: Johnzon
> Issue Type: Bug
> Affects Versions: 1.1.8
> Reporter: Markus Bruckner
> Priority: Minor
>
> Given the following json:
>
> {code:java}
> {
> "value": 2147483648
> }{code}
> and the following dto:
>
> {code:java}
> public class IntContainer {
> private int value;
> public void setValue(int value) { this.value = value; }
> public int getValue() { return value; }
> }{code}
> When I try to parse the json in the dto, the value overflows and is deserialized as negative value (or vice versa, if too large a negative number is used).
> Failing test case:
>
> {code:java}
> @Test
> public void shouldNotAcceptOutOfBoundsValue() {
> String json = "{ \"value\": 2147483648 }";
> Jsonb jsonb = JsonbProvider.provider().create().build();
> IntContainer intContainer = jsonb.fromJson(json, IntContainer.class);
> LOG.debug("deserialized value: {}", intContainer.getValue());
> Assert.fail("should throw instead of wrapping the value in negative area");
> }{code}
>
> Log output is:
>
> {noformat}
> SerializationTest deserialized value: -2147483648{noformat}
>
> The expected behavior would probably be an Exception if the number exceeds the bounds of the type of the field that the value should be deserialized into (byte, short, int, or long).
>
> As additional info, because we researched this when confronted with this problem initially (with type int): Applying ijson-strict (rfc7493) doesn't help in this situation since there are values that are allowed by the ijson rfc and still over-/underflow a 32-bit integer (and it would further require us to transmit long values as string).
> Boundaries:
> * 2147483647 max value of signed 32bit integer
> * 9007199254740991 > ijson maxvalue: "senders cannot expect receivers to parse numbers larger than..."
> * 9223372036854775807 64b integer
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)