New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CODEC-313: Fix possible ArrayIndexOutOfBoundsException thrown by QuotedPrintableCodec.encodeQuotedPrintable() method #221
CODEC-313: Fix possible ArrayIndexOutOfBoundsException thrown by QuotedPrintableCodec.encodeQuotedPrintable() method #221
Conversation
@arthurscchan |
Hi, I have added the unit test. |
@arthurscchan |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@arthurscchan
Please see my comment.
src/main/java/org/apache/commons/codec/net/QuotedPrintableCodec.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
4769376
to
ad656e5
Compare
Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
ad656e5
to
130dafc
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #221 +/- ##
=========================================
Coverage 92.27% 92.28%
- Complexity 1742 1743 +1
=========================================
Files 67 67
Lines 4584 4586 +2
Branches 709 710 +1
=========================================
+ Hits 4230 4232 +2
Misses 242 242
Partials 112 112 ☔ View full report in Codecov by Sentry. |
@arthurscchan |
…Codec.encodeQuotedPrintable() method #221
This fixes a possible ArrayIndexOutOfBoundException in src/main/java/org/apache/commons/codec/language/QuotedPrintableCodec.java thrown by
QuotedPrintableCodec.encodeQuotedPrintable()
method when the input byte array has less than 3 elements.This PR adds a conditional check to ensure the index is never negative. It will simply return null if the byte array is too short (with a length less than 3) if strict value is true.
We found this bug using fuzzing by way of OSS-Fuzz. It is reported at https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64358.