Sheung Chi Chan created CODEC-312:
-------------------------------------
Summary: MatchRatingApproachEncoder.encode throw
StringIndexOutOfBound
Key: CODEC-312
URL: https://issues.apache.org/jira/browse/CODEC-312
Project: Commons Codec
Issue Type: Bug
Reporter: Sheung Chi Chan
The {{encode(String)}} method takes in a random String and checks if it is
empty. It will go through a few rounds of processing if the given String is not
empty. It does contain a check to ensure the String is not empty before
processing. But it has some missing checks. Each of the 3 processing methods
{{cleanName(name)}} / {{removeVowels(name)}} / {{removeDoubleConsonants(name)}}
remove some characters from the String and could cause the string to become
empty (length = 0). And that results in StringIndexOutOfBoundException when
{{substring()}} method is called in the next processing method. For example, if
the randomly provided string is {{{}..{}}}, it gets past the first checking in
the encode method and enters the {{cleanName(name)}} method. The
{{cleanName(name)}} method removes the two dots and returns an empty string.
Without the additional checking, it causes the StringIndexOutOfBoundException
in the {{substring()}} method call in the next {{removeVowels(name)}} method
call cause the length of the string is 0.
Possible fix could add some conditional checking to ensure the string is not
empty after each method call. If it is empty after any method call, it will
simply return {{EMPTY}} and avoid continuing processing onto the next
processing method.
We found this bug using fuzzing by way of OSS-Fuzz. It is reported at
[https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64359].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
