Error while parsing negative floats at the end of the input buffer #146
Description
I've been doing some randomized testing, and it looks like _parseFloat in ReaderBasedJsonParser has a bug that is triggered when parsing negative numbers with exponents whose sign character appears immediately before the end of the input buffer. At line 923 of the current master:
// Sign indicator?
ch = (int) _inputBuffer[ptr++];
if (ch == INT_MINUS || ch == INT_PLUS) { // yup, skip for now
if (ptr >= inputLen) {
_inputPtr = startPtr;
return _parseNumber2(false, startPtr);
}
ch = (int) _inputBuffer[ptr++];
}It looks like the intent of this is to fall back to a slow path in that case, but _parseNumber2 gets passed "false" in the neg parameter, so it doesn't expect to see the initial sign character and throws a "missing integer part" parse error. I think passing neg there instead of false would fix it.
Here's a reproducing case:
char[] arr = new char[50005];
for(int i = 0; i != 50000; ++i) {
java.util.Arrays.fill(arr, 0, i, ' ');
arr[i] = '-';
arr[i + 1] = '1';
arr[i + 2] = 'e';
arr[i + 3] = '-';
arr[i + 4] = '1';
CharArrayReader r = new CharArrayReader(arr, 0, i + 5);
new JsonFactory().createParser(r).nextToken();
}At about 4000 iterations in, the bug will trigger.