Max number length config for BigInteger and BigDecimal#1068
Conversation
Completes the CVE-2026-59171 fix started in ab92bb9 / #1065. The 1000-char length guard in stringToValue admits short exponent-notation literals (e.g. 1e100000000, 11 chars) which are stored compactly as BigDecimal and only expand when getBigInteger/optBigInteger calls BigDecimal.toBigInteger(), materialising ~10^8 digits and stalling the thread or throwing OOM. Guard both toBigInteger() sites in objectToBigInteger by rejecting any BigDecimal whose integer part would exceed ParserConfiguration.DEFAULT_MAX_NUMBER_LENGTH decimal digits (precision() - scale(), both O(1) reads). Returns defaultValue on overflow, matching the method's existing behaviour for non-finite and unparseable values. Covers JSONObject.getBigInteger/optBigInteger and JSONArray.getBigInteger/optBigInteger (all delegate to this helper). Adds JSONObjectTest.getBigIntegerHugeExponentReturnsDefault with a 5s timeout so a regression fails fast rather than hanging CI. Co-Authored-By: Claude <noreply@anthropic.com>
…:S108) Co-Authored-By: Claude <noreply@anthropic.com>
…Integer Per review on #1067: - objectToBigInteger(val, dflt, JSONParserConfiguration) uses cfg.getMaxNumberLength() for the digit-count guard; -1 disables it. Existing 2-arg form delegates with a default config. - New public overloads on JSONObject and JSONArray: getBigInteger(key, cfg) / optBigInteger(key, dflt, cfg). Existing methods delegate with a default config. - objectToBigDecimal left unchanged (no expansion path; agreed on PR). - Tests cover default (1000), raised (2000), lowered (5), disabled (-1), null config, and JSONArray overloads. Co-Authored-By: Claude <noreply@anthropic.com>
#1063: bound BigDecimal→BigInteger expansion in objectToBigInteger (completes CVE-2026-59171 fix)
|
|
What problem does this code solve? Does the code still compile with Java6? Risks Changes to the API? Will this require a new release? Should the documentation be updated? Does it break the unit tests? Was any code refactored in this commit? Review status Thanks to @waydeshi, @Damien-Warren-206, and @mechko for contributions that resulted in this fix Starting 3 day comment window |



Description
Additional work for CVE-2026-59171 (See #1065):
This fixes ParserConfiguration should support max number length #1066
Refactoring
N/A
Testing done
New unit tests were added.