The CBORParser::nextToken() method relies on the integer index _inputPtr to read the next character from the provided input byte array. In some cases, if the provided input byte array is malformed and contains negative bytes, that negative could be used as the new value for the _inputPtr. If the negative _inputPtr is used as an index for later access to the byte array, an unexpected IndexOutOfBoundsException is thrown because a negative index is used.

    @Override
    public JsonToken nextToken() throws IOException
    {
...
        if (_inputPtr >= _inputEnd) {
            if (!loadMore()) {
                return _eofAsNextToken();
            }
        }
        int ch = _inputBuffer[_inputPtr++] & 0xFF;
...

The suggested fix is to add a negative checking before the use of _inputPtr. It is shown that there is already a check in the method to ensure _inputPtr is not larger than or equal to the _inputEnd, but there is no check to confirm that _inputPtr is not negative. The suggested fix is to add a negative check to ensure the retrieved _inputPtr is not negative before use.

We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65617.