Steven Walters created JOHNZON-407:
--------------------------------------
Summary: NullPointerException in
JsonArrayBuilderImpl(Collection<?>) constructor when collection contains data
type that calls add method that refers to unset jsonProvider member
Key: JOHNZON-407
URL: https://issues.apache.org/jira/browse/JOHNZON-407
Project: Johnzon
Issue Type: Bug
Components: Core
Affects Versions: 2.0.1, 1.2.21, 2.0.0
Reporter: Steven Walters
Due to a regression by JOHNZON-397, the assignment of the
{{JsonProviderImpl jsonProvider}} via {{this.jsonProvider = jsonProvider;}}
occurs _*after*_ the {{add}} calls are done.
This causes {{NullPointerException}} to occur when the {{add}} attempts to
utilize the unset {{jsonProvider}} member variable.
This is exhibited with usage of {{BigDecimal}} and {{BigInteger}} types as they
both refer to {{jsonProvider::checkBigDecimalScale}}.
This is also exhibited with usage of {{Map}}, {{Collection}}, and {{Array}}
types as they pass unset (null) jsonProvider along.
As a result of this issue, users upgrading to fix CVE-2023-33008 can encounter
this {{NullPointerException}} as a byproduct
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
