Some deserializers throw unexpected NullPointerException when handling invalid input

[arthurscchan]

Some methods in the project fail to handle invalid input and throw unexpected NullPointerExcetption. For example, the PrimitiveKVHandler::value() method retrieves a string return from parser.getValueAsString(). If the input provided in the parser is invalid and cannot be converted to a string, it will return null. But the next conditional check calls the length method directly without a null check which could cause an unexpected NullPointerException thrown.

public char value(DeserializationContext ctx, JsonParser parser) throws IOException {
            String valueAsString = parser.getValueAsString();
            if (valueAsString.length() != 1) {
                ......

In GuavaCollectionDeserializer::deserialize() method, it deserialises the provided input and eventually creates a GuavaImmutableCollection object by the upstream GuavaImmutableCollection Builder. In the documentation of Guava, it does mention that in some cases (where the provided input is invalid), NullPointerException can be thrown but it is not specifically handled in the GuavaCollectionDeserializer::deserialize() method and cause unexpected NullPointerException thrown to the user.

    protected T _deserializeContents(JsonParser p, DeserializationContext ctxt)
        throws IOException
    {
       ......
            builder.add(value); // This could thrown NullPointerException according to Guava Javadoc
       ......

Fixes could be implemented by adding null checking or wrapping the thrown NullPointerException with JsonProcessingException to indicate possible invalid data.

We found this issue by OSS-Fuzz and it is reported in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64610 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64629.