Reject range starting above resource length

Closes: gh-23576

Author: rstoyanchev

spring-web/src/main/java/org/springframework/http/HttpRange.java

@@ -65,6 +65,7 @@ public ResourceRegion toResourceRegion(Resource resource) {
 		long contentLength = getLengthFor(resource);
 		long start = getRangeStart(contentLength);
 		long end = getRangeEnd(contentLength);
+		Assert.isTrue(start < contentLength, "'position' exceeds the resource length " + contentLength);
 		return new ResourceRegion(resource, start, end - start + 1);
 	}
 

spring-web/src/test/java/org/springframework/http/HttpRangeTests.java

@@ -158,17 +158,23 @@ public void toResourceRegionIllegalLength() {
 		ByteArrayResource resource = mock(ByteArrayResource.class);
 		given(resource.contentLength()).willReturn(-1L);
 		HttpRange range = HttpRange.createByteRange(0, 9);
-		assertThatIllegalArgumentException().isThrownBy(() ->
-				range.toResourceRegion(resource));
+		assertThatIllegalArgumentException().isThrownBy(() -> range.toResourceRegion(resource));
 	}
 
 	@Test
 	public void toResourceRegionExceptionLength() throws IOException {
 		InputStreamResource resource = mock(InputStreamResource.class);
 		given(resource.contentLength()).willThrow(IOException.class);
 		HttpRange range = HttpRange.createByteRange(0, 9);
-		assertThatIllegalArgumentException().isThrownBy(() ->
-				range.toResourceRegion(resource));
+		assertThatIllegalArgumentException().isThrownBy(() -> range.toResourceRegion(resource));
+	}
+
+	@Test // gh-23576
+	public void toResourceRegionStartingAtResourceByteCount() {
+		byte[] bytes = "Spring Framework".getBytes(StandardCharsets.UTF_8);
+		ByteArrayResource resource = new ByteArrayResource(bytes);
+		HttpRange range = HttpRange.createByteRange(resource.contentLength());
+		assertThatIllegalArgumentException().isThrownBy(() -> range.toResourceRegion(resource));
 	}
 
 	@Test