fix CVE-2021-27568 in 2 packages

netplex · Apr 4, 2021 · 768db58 · 768db58
1 parent d07cf9f
commit 768db58
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 13 deletions.
diff --git a/json-smart-mini/pom.xml b/json-smart-mini/pom.xml
@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>net.minidev</groupId>
 		<artifactId>parent</artifactId>
-		<version>1.0.9-1</version>
+		<version>1.3.2</version>
 		<relativePath>../parent/pom.xml</relativePath>
 	</parent>
 

diff --git a/json-smart-mini/src/main/java/net/minidev/json/parser/JSONParserStream.java b/json-smart-mini/src/main/java/net/minidev/json/parser/JSONParserStream.java
@@ -250,9 +250,13 @@ private Object readNumber(boolean[] stop) throws ParseException, IOException {
 				return sb.toString().trim();
 			}
 			String num = sb.toString().trim();
-			if (num.length() > 18) // follow JSjonIJ parssing methode
-				return new BigDecimal(num);
-			return Double.parseDouble(num);
+			try {
+				if (num.length() > 18) // follow JSjonIJ parssing methode
+					return new BigDecimal(num);
+				return Double.parseDouble(num);
+			} catch (NumberFormatException e) {
+				throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs);	
+			}
 		}
 		sb.append('E');
 		read();
@@ -266,7 +270,11 @@ private Object readNumber(boolean[] stop) throws ParseException, IOException {
 				skipNQString(stop);
 				return sb.toString().trim();
 			}
-			return Double.parseDouble(sb.toString().trim());
+			try {
+				return Double.parseDouble(sb.toString().trim());
+			} catch (NumberFormatException e) {
+				throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs);	
+			}
 		} else {
 			skipNQString(stop);
 			return sb.toString().trim();

diff --git a/json-smart/pom.xml b/json-smart/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>net.minidev</groupId>
 		<artifactId>parent</artifactId>
-		<version>1.3.1</version>
+		<version>1.3.2</version>
 		<relativePath>../parent/pom.xml</relativePath>
 	</parent>
 

diff --git a/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java b/json-smart/src/main/java/net/minidev/json/parser/JSONParserBase.java
@@ -134,17 +134,13 @@ public void checkLeadinZero() throws ParseException {
 	protected Number extractFloat() throws ParseException {
 		if (!acceptLeadinZero)
 			checkLeadinZero();
-
 		try {
 			if (!useHiPrecisionFloat)
 				return Float.parseFloat(xs);
-
 			if (xs.length() > 18) // follow JSonIJ parsing method
 				return new BigDecimal(xs);
-
 			return Double.parseDouble(xs);
-
-		} catch(NumberFormatException e){
+		} catch(NumberFormatException e) {
 			throw new ParseException(pos, ERROR_UNEXPECTED_TOKEN, xs);
 		}
 	}

diff --git a/parent/pom.xml b/parent/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>net.minidev</groupId>
 	<artifactId>parent</artifactId>
-	<version>1.3.1</version>
+	<version>1.3.2</version>
 	<name>Minidev public super pom</name>
 	<description>minidev common properties.</description>
 	<packaging>pom</packaging>
@@ -25,7 +25,7 @@
 			<id>uriel</id>
 			<name>Uriel Chemouni</name>
 			<email>uchemouni@gmail.com</email>
-			<timezone>GMT+1</timezone>
+			<timezone>GMT+3</timezone>
 			<roles>
 			</roles>
 		</developer>