-
-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail earlier on coercions from "too big" BigInteger
into fixed-size types (int
, long
, short
)
#488
Comments
Note to self: first patch covers cases where |
…r to avoid drastic performance issue as per suggestions by @wujimin
I think I will consider first part done; if and when potential gaps are found let's create new issues. |
(note: offshoot of FasterXML/jackson-databind#2157)
There is a potential Denial-of-Service attack vector in which attacker may include long
BigInteger
s, with size like 1 million digits (which is still feasible to send), targeted at processing that expects one of Java's fixed-length "small" integer types (int
,long
most commonly), and cause asymmetrically high processing load. This because JDK's conversion fromBigInteger
to these types is surprisingly slow; and because Jackson tries to retain accuracyThe text was updated successfully, but these errors were encountered: