[
https://issues.apache.org/jira/browse/JOHNZON-407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Markus Jung updated JOHNZON-407:
--------------------------------
Fix Version/s: 1.2.22
2.0.2
> NullPointerException in JsonArrayBuilderImpl(Collection<?>) constructor when
> collection contains data type that calls add method that refers to unset
> jsonProvider member
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: JOHNZON-407
> URL: https://issues.apache.org/jira/browse/JOHNZON-407
> Project: Johnzon
> Issue Type: Bug
> Components: Core
> Affects Versions: 1.2.21, 2.0.1
> Reporter: Steven Walters
> Assignee: Markus Jung
> Priority: Major
> Fix For: 1.2.22, 2.0.2
>
>
> Due to a regression by JOHNZON-397, the assignment of the
> {{JsonProviderImpl jsonProvider}} via {{this.jsonProvider = jsonProvider;}}
> occurs _*after*_ the {{add}} calls are done.
> This causes {{NullPointerException}} to occur when the {{add}} attempts to
> utilize the unset {{jsonProvider}} member variable.
> This is exhibited with usage of {{BigDecimal}} and {{BigInteger}} types as
> they both refer to {{jsonProvider::checkBigDecimalScale}}.
> This is also exhibited with usage of {{Map}}, {{Collection}}, and {{Array}}
> types as they pass unset (null) jsonProvider along.
> As a result of this issue, users upgrading to fix CVE-2023-33008 can
> encounter this {{NullPointerException}} as a byproduct
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
