Gson can throw StackOverFlowError which will most likely not be caught

[fan87]

Gson version

2.9.0

Description

Gson could throw StackOverFlowError with "[" * 8000, but most people will only catch Exception, not Error.

I don't think it's a real "security" vuln since most servers would catch every Throwable thrown by the code that handles the request instead of just killing the entire server but just in case.

Expected behavior

Throws a JSON syntax exception

Actual behavior

Throws an Error, which most people won't be catching

Reproduction steps

        Gson gson = new Gson();
        StringBuilder out = new StringBuilder();
        for (int i = 0; i < 8000; i++) {
            out.append("[");
        }

        try {
            gson.fromJson(out.toString(), JsonArray.class);
        } catch (Exception ignored) {
            System.out.println("Invalid Json Body!");
            // Most people will only be catching Exception, not Error
        }

Exception stack trace

(What a normal StackOverFlowError stacktrace looks like)

        (repeated until it throws stackoverflowerror)
	at com.google.gson.internal.bind.TypeAdapters$28.read(TypeAdapters.java:718)

[eamonnmcmanus]

I think this is probably fixed by #1912. However we haven't made a release with that change in it yet. If you're motivated, you could try building a current snapshot and seeing if the problem persists there.

[Marcono1234]

@fan87, with Gson 2.9.1 having been released, could you please check if this issue still occurs?

[fan87]

Yes it's fixed