Provide way to limit array size for whole stream array read

[slaft]

Hello

I'm trying to limit the length of arrays created by JBBP.

I was able to do it for JBBP types that way:

public class CustomJBBPBitInputStream extends JBBPBitInputStream {

    public CustomJBBPBitInputStream(InputStream in, JBBPBitOrder order) {
        super(in, order);
    }

    @Override
    public boolean[] readBoolArray(final int items) throws IOException {
        // validation here
        return super.readBoolArray(items);
    }
...
}

// Used like this:
parser.parse(new CustomJBBPBitInputStream(new ByteArrayInputStream(input), bitOrder));

But I couldn't find a way for arrays of structures and arrays without a defined size ([_]).
Do you see a way to do that? Otherwise is a change possible?
(I use the latest version.)

Thanks for your help.

[raydac]

I didn't provide way to limit size of array and imho it is a good idea to provide such one.
as a workaround for parsing through script you could try to use var type and JBBPVarFieldProcessor. which can be provided as a parameter during parsing, as an example you can take a look at java class parse test

[raydac]

I have improved JBBP and added JBBPArraySizeLimiter which can be provided for JBBPBitInputStream read array methods and for JBBPParser to limit whole stream array read, it will be published in 2.1.0 release

[slaft]

Thanks a lot! (And sorry for the late reply, I've been on holiday.)

With the changes you've made, it's also possible to limit the length of arrays defined via expressions (using JBBPParserExpressionArraySizeController), is that correct?
Do you think it would make sense to extend this type of control to fixed-size arrays as well?

To give you more context (as I'm not sure my question makes sense), in my case the script is user-defined, and I want to restrict what the user can do to protect my service (but maybe there's a lot more than array size I should worry about).

[raydac]

if you want to check statically defined array sizes, you can do some trick with visitor of compiled block which I use to generate java classes from scripts

    JBBPParser parser = JBBPParser.prepare("byte[100] one; byte [1000000] two;");
    CompiledBlockVisitor visitor = new CompiledBlockVisitor(0, parser.getCompiledBlock()){
      @Override
      public void visitPrimitiveField(int offsetInCompiledBlock, int primitiveType,
                                      JBBPNamedFieldInfo nullableNameFieldInfo,
                                      JBBPByteOrder byteOrder,
                                      boolean readWholeStreamAsArray,
                                      boolean altFieldType,
                                      JBBPIntegerValueEvaluator nullableArraySize) {
        if (!readWholeStreamAsArray
            && nullableArraySize != null
            && nullableArraySize.getClass().getSimpleName().equals("IntConstValueEvaluator")) {
            int size = nullableArraySize.eval(null, offsetInCompiledBlock, null, null);
            if (size > 10000) {
              throw new IllegalArgumentException("Too big array: " + nullableNameFieldInfo);
            }
        }
      }
    };
    visitor.visit();

in the code above the exception will be thrown for too big static size of array, keep in mind that users can write something array1 [1000] { byte [1000] array2; } and if you want check it then improve visitor for structure processing, example above processing only primitive types but methods for structures, var and custom types also provided by visitor

[slaft]

Thanks again for your help. (And that's noted for arrays of structures, I'll definitely check that too).

[raydac]

I have made minor refactoring and added util method JBBPUtils#findMaxStaticArraySize into 2.1.1-SNAPSHOT

[slaft]

Thanks, it's very helpful!

[raydac]

so, it looks like that since 3.0.0 version I have provided ways to detect too long arrays for calculated by expressions and static variants

[slaft]

Thanks for letting me know!