What happended?
In file: SExpression.java, there is a potential case of null pointer dereference. In method parse(), there is a call to parseExpression(), passing parameter SExpression to be null.
public static SExpression parse(InputStream _src, int maxDepth)
throws IOException
{
return parseExpression(_src, null, new ByteArrayOutputStream(), maxDepth);
}
private static SExpression parseExpression(InputStream src, SExpression expr, ByteArrayOutputStream accumulator, int maxDepth)
throws IOException
{
...........
...........
}But this null case isn't handled in parseExpression(), and addValue() method is invoked on this null object, which will cause NullPointerException.
It is not immediately clear whether consumeUntilSkipCRorLF(), will always return -1 or will always return ( first before entering any other condition when expr is set to null. If that is indeed the case, you may choose to ignore this issue.
Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.
What happended?
In file: SExpression.java, there is a potential case of null pointer dereference. In method parse(), there is a call to parseExpression(), passing parameter
SExpressionto be null.But this
nullcase isn't handled inparseExpression(), and addValue() method is invoked on this null object, which will causeNullPointerException.It is not immediately clear whether consumeUntilSkipCRorLF(), will always return -1 or will always return
(first before entering any other condition whenexpris set to null. If that is indeed the case, you may choose to ignore this issue.Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed - to improve global software supply chain security.
The bug is found by running the iCR tool by OpenRefactory, Inc. and then manually triaging the results.