Merge branch '2.13' into 2.14

Author: cowtowncoder

release-notes/CREDITS-2.x

@@ -287,6 +287,10 @@ Vlad Tatavu (vladt@github)
     for "content reference"
   (2.13.2)
 
+PJ Fanning (pjfanning@github)
+  * Contributed #744: Limit size of exception message in BigDecimalParser
+  (2.13.3)
+
 Ilya Golovin (ilgo0413@github)
   * Contributed #684: Add "JsonPointer#appendProperty" and "JsonPointer#appendIndex"
   (2.14.0)

release-notes/VERSION-2.x

@@ -24,6 +24,11 @@ JSON library.
   floating-point values or not
  (contributed Doug R)
 
+2.13.3 (not yet released)
+
+#744: Limit size of exception message in BigDecimalParser
+ (contributed by @pjfanning))
+
 2.13.2 (06-Mar-2022)
 
 #732: Update Maven wrapper

src/main/java/com/fasterxml/jackson/core/io/BigDecimalParser.java

@@ -21,6 +21,7 @@
  */
 public final class BigDecimalParser
 {
+    private final static int MAX_CHARS_TO_REPORT = 1000;
     private final char[] chars;
 
     BigDecimalParser(char[] chars) {
@@ -51,7 +52,14 @@ public static BigDecimal parse(char[] chars) {
             if (desc == null) {
                 desc = "Not a valid number representation";
             }
-            throw new NumberFormatException("Value \"" + new String(chars)
+            String stringToReport;
+            if (chars.length <= MAX_CHARS_TO_REPORT) {
+                stringToReport = new String(chars);
+            } else {
+                stringToReport = new String(Arrays.copyOfRange(chars, 0, MAX_CHARS_TO_REPORT))
+                    + "(truncated, full length is " + chars.length + " chars)";
+            }
+            throw new NumberFormatException("Value \"" + stringToReport
                     + "\" can not be represented as `java.math.BigDecimal`, reason: " + desc);
         }
     }

src/test/java/com/fasterxml/jackson/core/io/BigDecimalParserTest.java

@@ -0,0 +1,18 @@
+package com.fasterxml.jackson.core.io;
+
+public class BigDecimalParserTest extends com.fasterxml.jackson.core.BaseTest {
+    public void testLongStringParse() {
+        final int len = 1500;
+        final StringBuilder sb = new StringBuilder(len);
+        for (int i = 0; i < len; i++) {
+            sb.append("A");
+        }
+        try {
+            BigDecimalParser.parse(sb.toString());
+            fail("expected NumberFormatException");
+        } catch (NumberFormatException nfe) {
+            assertTrue("exception message starts as expected?", nfe.getMessage().startsWith("Value \"AAAAA"));
+            assertTrue("exception message value contains truncated", nfe.getMessage().contains("truncated"));
+        }
+    }
+}