Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0037135Openbravo ERPA. Platformpublic2017-10-20 13:542018-01-03 12:38
alostale 
alostale 
urgentmajorhave not tried
closedfixed 
5
 
3.0PR18Q1 
caristu
Core
No
0037135: OOM parsing corrupted JSON
When a corrupted JSON string is parsed to instantiate a JSONObject, an OOM Exception can be thrown.

Even it is very unlikely this to happen because the string must be corrupted in a very particular manner, it can occur when data is sent from client to server.

This is an issue in current version (1.3) of jettison library that is fixed in newer versions [1].

---
[1] https://github.com/jettison-json/jettison/commit/334f9ba080784b65da5 [^]
Cannot reproduce consistently in real life as a JSON string representation must be corrupted in a specific way.

Execute:
    String corruptedJSON = "{\"data\":[{},";
    new JSONObject(corruptedJSON);


You get:
java.lang.OutOfMemoryError: Java heap space
    at java.util.Arrays.copyOf(Arrays.java:3210)
    at java.util.Arrays.copyOf(Arrays.java:3181)
    at java.util.ArrayList.grow(ArrayList.java:261)
    at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
    at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
    at java.util.ArrayList.add(ArrayList.java:458)
    at org.codehaus.jettison.json.JSONArray.<init>(JSONArray.java:107)
    at org.codehaus.jettison.json.JSONTokener.nextValue(JSONTokener.java:313)
    at org.codehaus.jettison.json.JSONObject.<init>(JSONObject.java:195)
    at org.codehaus.jettison.json.JSONObject.<init>(JSONObject.java:266)
    at LoadJson.main(LoadJson.java:17)
Upgrade to latest jettison version.

Review following changesets [1] that might affect behavior.

---
[1] https://docs.google.com/spreadsheets/d/1ldZ2IL3s5f-BSHlqVSGxG1ecTSJK20jIxaQudgZIlX8/edit#gid=0 [^]

No tags attached.
related to design defect 0037151 acknowledged platform upgrade/replace JSON library 
related to defect 0037335 closed caristu The DBSourceManager test classpath references the old jettison library 
Issue History
2017-10-20 13:54alostaleNew Issue
2017-10-20 13:54alostaleAssigned To => platform
2017-10-20 13:54alostaleModules => Core
2017-10-20 13:54alostaleTriggers an Emergency Pack => No
2017-10-20 13:54alostaleSteps to Reproduce Updatedbug_revision_view_page.php?rev_id=16161#r16161
2017-10-20 13:59alostaleDescription Updatedbug_revision_view_page.php?rev_id=16163#r16163
2017-10-20 13:59alostaleProposed Solution updated
2017-10-20 13:59alostaleAssigned Toplatform => alostale
2017-10-20 13:59alostaleStatusnew => acknowledged
2017-10-20 15:38alostaleProposed Solution updated
2017-10-24 10:45alostaleRelationship addedrelated to 0037151
2017-10-24 10:50alostaleNote Added: 0100016
2017-10-24 16:27hgbotCheckin
2017-10-24 16:27hgbotNote Added: 0100043
2017-10-24 16:27hgbotStatusacknowledged => resolved
2017-10-24 16:27hgbotResolutionopen => fixed
2017-10-24 16:27hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/490a7de26ccb70942d48381a02bfbb644f13b483 [^]
2017-10-24 16:28alostaleReview Assigned To => caristu
2017-10-25 08:50hgbotCheckin
2017-10-25 08:50hgbotNote Added: 0100046
2017-10-27 09:43caristuNote Added: 0100093
2017-10-27 09:43caristuStatusresolved => closed
2017-10-27 09:43caristuFixed in Version => 3.0PR18Q1
2017-11-20 18:44caristuRelationship addedrelated to 0037335
2018-01-03 12:38hudsonbotCheckin
2018-01-03 12:38hudsonbotNote Added: 0101345
2018-01-03 12:38hudsonbotCheckin
2018-01-03 12:38hudsonbotNote Added: 0101346

Notes
(0100016)
alostale   
2017-10-24 10:50   
Upgrading to latest version is problematic due to API changes introduced since current one (see 0037151).

Current plan is to backport only those changesets required to fix known problems.
(0100043)
hgbot   
2017-10-24 16:27   
Repository: erp/devel/pi
Changeset: 490a7de26ccb70942d48381a02bfbb644f13b483
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Tue Oct 24 10:17:17 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/490a7de26ccb70942d48381a02bfbb644f13b483 [^]

fixed bug 37135: OOM parsing corrupted JSON

  Backported jettison changesets to 1.3 version to solve this issue [1] and [2].

  Code for patched library can be found at [3].

  ---
  [1] https://github.com/alostale/jettison/commit/b5df5afdff6987839f912780ad0fc9c0b0847f7f [^]
  [2] https://github.com/alostale/jettison/commit/83e804177eb19ec258481a23ffe30c3fa2f43ba4 [^]
  [3] https://github.com/alostale/jettison [^]

---
A lib/runtime/jettison-1.3-patched.jar
R lib/runtime/jettison-1.3.jar
---
(0100046)
hgbot   
2017-10-25 08:50   
Repository: erp/devel/pi
Changeset: 97d86004181599767487a6190bdf0d0b01e8d83c
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Oct 25 08:38:49 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/97d86004181599767487a6190bdf0d0b01e8d83c [^]

related to bug 37135: updated Licensing.txt

---
M legal/Licensing.txt
---
(0100093)
caristu   
2017-10-27 09:43   
Verified using the "corrupted JSON" for the testing: "{\"data\":[{},"
(0101345)
hudsonbot   
2018-01-03 12:38   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/c81e0d3cbab5 [^]
Maturity status: Test
(0101346)
hudsonbot   
2018-01-03 12:38   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/c81e0d3cbab5 [^]
Maturity status: Test