From d440288bc080e6ef10be1c6963fb0f4f14dc07dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jason=20Jij=C3=B3n?= <jasonex7@gmail.com>
Date: Fri, 24 Jan 2020 16:09:31 -0500
Subject: [PATCH] Fixes #4386 - ELFlash sometimes throws
 ArrayIndexOutOfBoundsException if cookie contains invalid values

---
 .../com/sun/faces/util/ByteArrayGuardAESCTR.java    | 11 ++++++++---
 .../sun/faces/util/ByteArrayGuardAESCTRTest.java    | 13 +++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/jsf-ri/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java b/jsf-ri/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java
index 90a530e926..910c4c8c17 100644
--- a/jsf-ri/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java
+++ b/jsf-ri/src/main/java/com/sun/faces/util/ByteArrayGuardAESCTR.java
@@ -149,11 +149,16 @@ public String encrypt(String value) {
     }
 
     public String decrypt(String value) throws InvalidKeyException {
-        
-        byte[] bytes = DatatypeConverter.parseBase64Binary(value);;
-        
+
+        byte[] bytes = DatatypeConverter.parseBase64Binary(value);
+
         try {
             byte[] iv = new byte[16];
+
+            if (bytes.length < iv.length) {
+                throw new InvalidKeyException("Invalid characters in decrypted value");
+            }
+
             System.arraycopy(bytes, 0, iv, 0, iv.length);
             IvParameterSpec ivspec = new IvParameterSpec(iv);
 
diff --git a/test/unit/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java b/test/unit/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java
index 0af55edd8f..d3c9420d8b 100644
--- a/test/unit/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java
+++ b/test/unit/src/test/java/com/sun/faces/util/ByteArrayGuardAESCTRTest.java
@@ -39,6 +39,8 @@
  */
 package com.sun.faces.util;
 
+import java.security.InvalidKeyException;
+import javax.xml.bind.DatatypeConverter;
 import org.junit.Test;
 
 import static org.junit.Assert.assertTrue;
@@ -61,6 +63,17 @@ public void testSmallerSizeBytes() throws Exception {
 
         
     }
+
+    @Test(expected = InvalidKeyException.class)
+    public void testDecryptValueWithoutIvBytes() throws InvalidKeyException {
+        ByteArrayGuardAESCTR sut = new ByteArrayGuardAESCTR();
+        
+        String value = "noIV";
+        byte[] bytes = DatatypeConverter.parseBase64Binary(value);
+        assertTrue(bytes.length < 16);
+
+        sut.decrypt(value);
+    }
     
 }