jackson-databind/CVE-2022-42004.patch

From: Markus Koschany <apo@debian.org>
Date: Mon, 14 Nov 2022 22:40:58 +0100
Subject: CVE-2022-42004

Origin: https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
---
 .../databind/deser/BeanDeserializerBase.java       |  6 +--
 .../dos/DeepArrayWrappingForDeser3582Test.java     | 44 ++++++++++++++++++++++
 2 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java

diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
index 6ce41f7..639d8c9 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
@@ -1440,9 +1440,9 @@ public abstract class BeanDeserializerBase
             return bean;
         }
         if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
-            JsonToken t = p.nextToken();
-            if (t == JsonToken.END_ARRAY && ctxt.isEnabled(DeserializationFeature.ACCEPT_EMPTY_ARRAY_AS_NULL_OBJECT)) {
-                return null;
+            if (p.nextToken() == JsonToken.START_ARRAY) {
+                    return ctxt.handleUnexpectedToken(handledType(), JsonToken.START_ARRAY, p,
+"Cannot deserialize value of type %s from deeply-nested JSON Array: only single wrapper allowed with DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
             }
             final Object value = deserialize(p, ctxt);
             if (p.nextToken() != JsonToken.END_ARRAY) {
diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
new file mode 100644
index 0000000..2147cf1
--- /dev/null
+++ b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
@@ -0,0 +1,44 @@
+package com.fasterxml.jackson.databind.deser.dos;
+
+import java.io.IOException;
+import com.fasterxml.jackson.databind.*;
+
+public class DeepArrayWrappingForDeser3582Test extends BaseMapTest
+{
+    // 23-Aug-2022, tatu: Before fix, failed with 5000
+    private final static int TOO_DEEP_NESTING = 9999;
+
+    public void testArrayWrapping() throws Exception
+    {
+        final String doc = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "{}");
+        final ObjectMapper MAPPER = new ObjectMapper();
+        MAPPER.enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS);
+        try {
+            MAPPER.readValue(doc, Point.class);
+            fail("Should not pass");
+        } catch (IOException e) {
+            verifyException(e, "Cannot deserialize");
+            verifyException(e, "nested JSON Array");
+            verifyException(e, "only single");
+        }
+    }
+
+    private String _nestedDoc(int nesting, String open, String close, String content) {
+        StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
+        for (int i = 0; i < nesting; ++i) {
+            sb.append(open);
+            if ((i & 31) == 0) {
+                sb.append("\n");
+            }
+        }
+        sb.append("\n").append(content).append("\n");
+        for (int i = 0; i < nesting; ++i) {
+            sb.append(close);
+            if ((i & 31) == 0) {
+                sb.append("\n");
+            }
+        }
+        return sb.toString();
+    }
+
+}