diff --git a/api/src/main/java/jakarta/xml/bind/DatatypeConverterImpl.java b/api/src/main/java/jakarta/xml/bind/DatatypeConverterImpl.java index d8d61c2..0f0e378 100644 --- a/api/src/main/java/jakarta/xml/bind/DatatypeConverterImpl.java +++ b/api/src/main/java/jakarta/xml/bind/DatatypeConverterImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007, 2021 Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2007, 2023 Oracle and/or its affiliates. All rights reserved. * * This program and the accompanying materials are made available under the * terms of the Eclipse Distribution License v. 1.0, which is available at @@ -706,6 +706,9 @@ private static int guessLength(String text) { */ public static byte[] _parseBase64Binary(String text) { final int buflen = guessLength(text); + if (buflen < 3) { + throw new IllegalArgumentException("base64 text invalid."); + } final byte[] out = new byte[buflen]; int o = 0; @@ -725,6 +728,7 @@ public static byte[] _parseBase64Binary(String text) { } if (q == 4) { + // quadruplet is now filled. out[o++] = (byte) ((quadruplet[0] << 2) | (quadruplet[1] >> 4)); if (quadruplet[2] != PADDING) { diff --git a/api/src/test/java/org/eclipse/jaxb/api/DatatypeConverterTest.java b/api/src/test/java/org/eclipse/jaxb/api/DatatypeConverterTest.java index 4fbf1c0..bfbe75e 100644 --- a/api/src/test/java/org/eclipse/jaxb/api/DatatypeConverterTest.java +++ b/api/src/test/java/org/eclipse/jaxb/api/DatatypeConverterTest.java @@ -55,4 +55,13 @@ public void testParseBoolean() { Assert.assertEquals(true, DatatypeConverter.parseBoolean("true ")); Assert.assertEquals(true, DatatypeConverter.parseBoolean(" true ")); } + + @Test + public void testBase64() { + Assert.assertThrows(IllegalArgumentException.class, () -> DatatypeConverter.parseBase64Binary("Qxx==")); + Assert.assertNotEquals("Hello, world!", new String(DatatypeConverter.parseBase64Binary("SGVsbG8sIJdvcmxkIQ=="))); + + Assert.assertEquals("Hello, world!", new String(DatatypeConverter.parseBase64Binary("SGVsbG8sIHdvcmxkIQ=="))); + } + }