Skip to content

Reject out-of-range long and float values in NumberConverter#404

Merged
garydgregory merged 1 commit into
apache:masterfrom
rootvector2:numberconverter-long-float-range
Jun 26, 2026
Merged

Reject out-of-range long and float values in NumberConverter#404
garydgregory merged 1 commit into
apache:masterfrom
rootvector2:numberconverter-long-float-range

Conversation

@rootvector2

@rootvector2 rootvector2 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

NumberConverter.toNumber(Class, Number) range-checks the byte/short/int branches but the Long branch has no bounds check and the Float branch only checks the upper bound, so an out-of-range value (for example a locale-parsed string past long range, which DecimalFormat returns as a Double) is silently clamped to Long.MAX_VALUE or to -Infinity instead of throwing; found while auditing the numeric converters, fixed by adding the missing bounds checks next to the existing ones.

  • Read the contribution guidelines for this project.
  • Read the ASF Generative Tooling Guidance if you use Artificial Intelligence (AI).
  • I used AI to create any part of, or all of, this pull request. Which AI tool was used to create this pull request, and to what extent did it contribute?
  • Run a successful build using the default Maven goal with mvn; that's mvn on the command line by itself.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. This may not always be possible, but it is a best practice.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body. Note that a maintainer may squash commits during the merge process.

@rootvector2
reject out-of-range long and float values in NumberConverter
95cb983 
The Long branch had no bounds check and the Float branch checked only the upper bound, so out-of-range input was silently clamped to Long.MAX_VALUE or to -Infinity instead of throwing. Add the missing checks mirroring the byte/short/int branches.
@garydgregory garydgregory changed the title reject out-of-range long and float values in NumberConverter Reject out-of-range long and float values in NumberConverter Jun 25, 2026
garydgregory
garydgregory reviewed Jun 25, 2026
View reviewed changes

@garydgregory garydgregory left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @rootvector2
Please see my 2 comments.

Comment thread src/main/java/org/apache/commons/beanutils2/converters/NumberConverter.java
if (value.doubleValue() > Float.MAX_VALUE) {
throw ConversionException.format("%s value '%s' is too large for %s", toString(sourceType), value, toString(targetType));
}
if (value.doubleValue() < -Float.MAX_VALUE) {

@garydgregory garydgregory Jun 25, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we not using MIN_VALUE here?

@rootvector2 rootvector2 Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Float.MIN_VALUE is the smallest positive value (1.4E-45), not the most negative one, so it can't serve as the lower bound. The most negative finite float is -Float.MAX_VALUE. The Long branch above can use Long.MIN_VALUE because for integral types that is the most negative value, but for floating point types it isn't.

Comment thread src/test/java/org/apache/commons/beanutils2/converters/FloatConverterTest.java
// Maximum
assertEquals(Float.valueOf(Float.MAX_VALUE), converter.convert(clazz, max), "Maximum");
// Minimum
assertEquals(Float.valueOf(-Float.MAX_VALUE), converter.convert(clazz, min), "Minimum");

@garydgregory garydgregory Jun 25, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we not using MIN_VALUE here?

@rootvector2 rootvector2 Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same reason as in the converter: Float.MIN_VALUE is the smallest positive value, not the most negative, so the lowest representable float is -Float.MAX_VALUE.

@garydgregory garydgregory merged commit b23c7cd into apache:master Jun 26, 2026
6 of 9 checks passed
@garydgregory

garydgregory commented Jun 26, 2026

Copy link
Copy Markdown
Member

TY @rootvector2 , merged 🚀 Please verify if this apply to the 1.X branch as well.

@rootvector2 rootvector2 mentioned this pull request Jun 26, 2026
Merged
7 tasks
@rootvector2

rootvector2 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

yep, same issue on 1.X. the Long branch has no bounds check and the Float branch only checks the upper bound there too, so out-of-range input clamps to Long.MAX_VALUE / -Infinity instead of throwing. ported the fix in #405.

garydgregory pushed a commit that referenced this pull request Jun 26, 2026
@rootvector2
reject out-of-range long and float values in NumberConverter (#405)
138d455 
The Long branch had no bounds check and the Float branch checked only the
upper bound, so out-of-range input was silently clamped to Long.MAX_VALUE or
to -Infinity instead of throwing. Add the missing checks mirroring the
byte/short/int branches. Ports the master fix (#404) to 1.X.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garydgregory garydgregory garydgregory left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rootvector2 @garydgregory