Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0037135
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajorhave not tried2017-10-20 13:542018-01-03 12:38
ReporteralostaleView Statuspublic 
Assigned Toalostale 
PriorityurgentResolutionfixedFixed in Version3.0PR18Q1
StatusclosedFix in branchFixed in SCM revision490a7de26ccb
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Tocaristu
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0037135: OOM parsing corrupted JSON

DescriptionWhen a corrupted JSON string is parsed to instantiate a JSONObject, an OOM Exception can be thrown.

Even it is very unlikely this to happen because the string must be corrupted in a very particular manner, it can occur when data is sent from client to server.

This is an issue in current version (1.3) of jettison library that is fixed in newer versions [1].

---
[1] https://github.com/jettison-json/jettison/commit/334f9ba080784b65da5 [^]
Steps To ReproduceCannot reproduce consistently in real life as a JSON string representation must be corrupted in a specific way.

Execute:
    String corruptedJSON = "{\"data\":[{},";
    new JSONObject(corruptedJSON);


You get:
java.lang.OutOfMemoryError: Java heap space
    at java.util.Arrays.copyOf(Arrays.java:3210)
    at java.util.Arrays.copyOf(Arrays.java:3181)
    at java.util.ArrayList.grow(ArrayList.java:261)
    at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
    at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
    at java.util.ArrayList.add(ArrayList.java:458)
    at org.codehaus.jettison.json.JSONArray.<init>(JSONArray.java:107)
    at org.codehaus.jettison.json.JSONTokener.nextValue(JSONTokener.java:313)
    at org.codehaus.jettison.json.JSONObject.<init>(JSONObject.java:195)
    at org.codehaus.jettison.json.JSONObject.<init>(JSONObject.java:266)
    at LoadJson.main(LoadJson.java:17)
Proposed SolutionUpgrade to latest jettison version.

Review following changesets [1] that might affect behavior.

---
[1] https://docs.google.com/spreadsheets/d/1ldZ2IL3s5f-BSHlqVSGxG1ecTSJK20jIxaQudgZIlX8/edit#gid=0 [^]

TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to design defect 0037151 acknowledgedplatform upgrade/replace JSON library 
related to defect 0037335 closedcaristu The DBSourceManager test classpath references the old jettison library 

-  Notes
(0100016)
alostale (developer)
2017-10-24 10:50

Upgrading to latest version is problematic due to API changes introduced since current one (see 0037151).

Current plan is to backport only those changesets required to fix known problems.
(0100043)
hgbot (developer)
2017-10-24 16:27

Repository: erp/devel/pi
Changeset: 490a7de26ccb70942d48381a02bfbb644f13b483
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Tue Oct 24 10:17:17 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/490a7de26ccb70942d48381a02bfbb644f13b483 [^]

fixed bug 37135: OOM parsing corrupted JSON

  Backported jettison changesets to 1.3 version to solve this issue [1] and [2].

  Code for patched library can be found at [3].

  ---
  [1] https://github.com/alostale/jettison/commit/b5df5afdff6987839f912780ad0fc9c0b0847f7f [^]
  [2] https://github.com/alostale/jettison/commit/83e804177eb19ec258481a23ffe30c3fa2f43ba4 [^]
  [3] https://github.com/alostale/jettison [^]

---
A lib/runtime/jettison-1.3-patched.jar
R lib/runtime/jettison-1.3.jar
---
(0100046)
hgbot (developer)
2017-10-25 08:50

Repository: erp/devel/pi
Changeset: 97d86004181599767487a6190bdf0d0b01e8d83c
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Oct 25 08:38:49 2017 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/97d86004181599767487a6190bdf0d0b01e8d83c [^]

related to bug 37135: updated Licensing.txt

---
M legal/Licensing.txt
---
(0100093)
caristu (developer)
2017-10-27 09:43

Verified using the "corrupted JSON" for the testing: "{\"data\":[{},"
(0101345)
hudsonbot (developer)
2018-01-03 12:38

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/c81e0d3cbab5 [^]
Maturity status: Test
(0101346)
hudsonbot (developer)
2018-01-03 12:38

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/c81e0d3cbab5 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2017-10-20 13:54 alostale New Issue
2017-10-20 13:54 alostale Assigned To => platform
2017-10-20 13:54 alostale Modules => Core
2017-10-20 13:54 alostale Triggers an Emergency Pack => No
2017-10-20 13:54 alostale Steps to Reproduce Updated View Revisions
2017-10-20 13:59 alostale Description Updated View Revisions
2017-10-20 13:59 alostale Proposed Solution updated
2017-10-20 13:59 alostale Assigned To platform => alostale
2017-10-20 13:59 alostale Status new => acknowledged
2017-10-20 15:38 alostale Proposed Solution updated
2017-10-24 10:45 alostale Relationship added related to 0037151
2017-10-24 10:50 alostale Note Added: 0100016
2017-10-24 16:27 hgbot Checkin
2017-10-24 16:27 hgbot Note Added: 0100043
2017-10-24 16:27 hgbot Status acknowledged => resolved
2017-10-24 16:27 hgbot Resolution open => fixed
2017-10-24 16:27 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/490a7de26ccb70942d48381a02bfbb644f13b483 [^]
2017-10-24 16:28 alostale Review Assigned To => caristu
2017-10-25 08:50 hgbot Checkin
2017-10-25 08:50 hgbot Note Added: 0100046
2017-10-27 09:43 caristu Note Added: 0100093
2017-10-27 09:43 caristu Status resolved => closed
2017-10-27 09:43 caristu Fixed in Version => 3.0PR18Q1
2017-11-20 18:44 caristu Relationship added related to 0037335
2018-01-03 12:38 hudsonbot Checkin
2018-01-03 12:38 hudsonbot Note Added: 0101345
2018-01-03 12:38 hudsonbot Checkin
2018-01-03 12:38 hudsonbot Note Added: 0101346


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker