alhudz opened a new pull request, #1741:
URL: https://github.com/apache/commons-lang/pull/1741
Repro: parse an untrusted date whose numeric field is a digit run that
overflows `int`, e.g.
`FastDateFormat.getInstance("yyyy").parse("99999999999")`, or
`getInstance("yyyy").parseObject("99999999999", new ParsePosition(0))`.
Cause: `NumberStrategy.parse` scans an unbounded run of digits for a
trailing or standalone numeric field (its `maxWidth` is `0`) and passes the
whole run to `Integer.parseInt`. A run that overflows `int` makes `parseInt`
throw `NumberFormatException`, which escapes uncaught, so `parse(String)`
throws `NumberFormatException` rather than the declared `ParseException`, and
the `ParsePosition` overloads (`parse`, `parseObject`) throw instead of
returning `null` with an error index as the `java.text.Format` contract
requires.
Fix: catch the overflow inside `NumberStrategy.parse` and signal a parse
failure the same way the existing empty-digit branch already does
(`setErrorIndex` then return `false`), so the field is simply unparseable
instead of crashing the parser. Valid inputs are unchanged and it is the only
`Integer.parseInt` in the class.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]