alhudz opened a new pull request, #1741:
URL: https://github.com/apache/commons-lang/pull/1741

   Repro: parse an untrusted date whose numeric field is a digit run that 
overflows `int`, e.g. 
`FastDateFormat.getInstance("yyyy").parse("99999999999")`, or 
`getInstance("yyyy").parseObject("99999999999", new ParsePosition(0))`.
   Cause: `NumberStrategy.parse` scans an unbounded run of digits for a 
trailing or standalone numeric field (its `maxWidth` is `0`) and passes the 
whole run to `Integer.parseInt`. A run that overflows `int` makes `parseInt` 
throw `NumberFormatException`, which escapes uncaught, so `parse(String)` 
throws `NumberFormatException` rather than the declared `ParseException`, and 
the `ParsePosition` overloads (`parse`, `parseObject`) throw instead of 
returning `null` with an error index as the `java.text.Format` contract 
requires.
   Fix: catch the overflow inside `NumberStrategy.parse` and signal a parse 
failure the same way the existing empty-digit branch already does 
(`setErrorIndex` then return `false`), so the field is simply unparseable 
instead of crashing the parser. Valid inputs are unchanged and it is the only 
`Integer.parseInt` in the class.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to