From 9d6b10a45b57ab96470683a480fb8e9b739c678a Mon Sep 17 00:00:00 2001 From: Naveed Khan Date: Sun, 28 Jun 2026 01:14:30 +0530 Subject: [PATCH] reject out-of-range values in LongLocaleConverter LongLocaleConverter.parse narrows the parsed number with longValue() and never range-checks it, so a value beyond long range like 99999999999999999999 is silently clamped to Long.MAX_VALUE instead of rejected: DecimalFormat returns it as a Double (the converter does not set parseBigDecimal) and Double.longValue() saturates. Add the same bounds check the sibling IntegerLocaleConverter, ByteLocaleConverter, ShortLocaleConverter and FloatLocaleConverter already apply before narrowing. Signed-off-by: Naveed Khan --- .../converters/LongLocaleConverter.java | 6 +++++ .../converters/LongLocaleConverterTest.java | 26 +++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/src/main/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverter.java b/src/main/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverter.java index cb2ec9837..b0456e08f 100644 --- a/src/main/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverter.java +++ b/src/main/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverter.java @@ -20,6 +20,8 @@ import java.text.ParseException; import java.util.Locale; +import org.apache.commons.beanutils.ConversionException; + /** * Standard {@link org.apache.commons.beanutils.locale.LocaleConverter} implementation that converts an incoming locale-sensitive String into a * {@code java.lang.Long} object, optionally using a default value or throwing a {@link org.apache.commons.beanutils.ConversionException} if a conversion error @@ -173,6 +175,10 @@ protected Object parse(final Object value, final String pattern) throws ParseExc if (result == null || result instanceof Long) { return result; } + final double doubleValue = ((Number) result).doubleValue(); + if (doubleValue < Long.MIN_VALUE || doubleValue > Long.MAX_VALUE) { + throw new ConversionException("Supplied number is not of type Long: " + result); + } return Long.valueOf(((Number) result).longValue()); } } diff --git a/src/test/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverterTest.java b/src/test/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverterTest.java index 0d4b3c0da..5e685833f 100644 --- a/src/test/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverterTest.java +++ b/src/test/java/org/apache/commons/beanutils/locale/converters/LongLocaleConverterTest.java @@ -17,6 +17,10 @@ package org.apache.commons.beanutils.locale.converters; +import java.text.DecimalFormat; + +import org.apache.commons.beanutils.ConversionException; + /** * Test Case for the LongLocaleConverter class. * @@ -225,5 +229,27 @@ public void testConstructorMain() { } + /** + * Test Long limits + */ + public void testLongLimits() { + converter = new LongLocaleConverter(); + final DecimalFormat fmt = new DecimalFormat("#"); + assertEquals(Long.valueOf(Long.MAX_VALUE), converter.convert(fmt.format(Long.MAX_VALUE))); + assertEquals(Long.valueOf(Long.MIN_VALUE), converter.convert(fmt.format(Long.MIN_VALUE))); + try { + converter.convert("99999999999999999999"); + fail("Positive out of range should throw ConversionException"); + } catch (final ConversionException expected) { + // expected result + } + try { + converter.convert("-99999999999999999999"); + fail("Negative out of range should throw ConversionException"); + } catch (final ConversionException expected) { + // expected result + } + } + }