Description
Another OSSFuzz found issue (see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35979), for which we have a unit test to reproduce (see Fuzz_35979_StringValueTest) but no fix yet.
Input content with 296 bytes (resource /data/clusterfuzz-cbor-35979.cbor) used to trigger a corner condition for 256 bytes (get ArrayIndexOutOfBoundsException): not a security issue but inconvenience when caller may get something other than JsonProcessingException.
Note that input itself is invalid (not valid CBOR, that is); but it should produce properly typed exception upon decoding; not AIOOBE.
More specifically the issue is that the last byte indicates a multi-byte UTF-8 character, but without following bytes: for example, indicating "short" String of 256 bytes encoded, byte at the very last offset indicates it is the starting byte of, say, 3-byte character. Current code does not verify that there are enough bytes left but blindly accesses following 2 bytes (beyond end). So while it would be easy to avoid AIOOBE itself (just add padding of 3 bytes to cover all possible cases), it is important for decoder to actually apply bounds checks to avoid the issue.