From 7eb74ac50f5e6e05389e834a1a2bf2543dfd64c9 Mon Sep 17 00:00:00 2001
From: Simon Willnauer <simonw@apache.org>
Date: Wed, 13 Jun 2018 10:16:33 +0200
Subject: [PATCH] LUCENE-8164: IndexWriter silently accepts broken payload.

This has been fixed via LUCENE-8165 since we are now checking
for offset+length going out of bounds.

Co-authored-by: Nhat Nguyen <nhat.nguyen@elastic.co>
Co-authored-by: Robert Muir <rmuir@apache.org>
---
 lucene/CHANGES.txt                                |  6 +++++-
 .../org/apache/lucene/index/TestIndexWriter.java  | 15 +++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/lucene/CHANGES.txt b/lucene/CHANGES.txt
index 0f7c486f4e2..83177a805a2 100644
--- a/lucene/CHANGES.txt
+++ b/lucene/CHANGES.txt
@@ -109,7 +109,11 @@ Optimizations
 
 ======================= Lucene 7.5.0 =======================
 
-(No changes)
+Bug Fixes:
+
+ * LUCENE-8164: IndexWriter silently accepts broken payload. This has been fixed
+   via LUCENE-8165 since we are now checking for offset+length going out of bounds.
+   (Robert Muir, Nhat Nyugen, Simon Willnauer)
 
 ======================= Lucene 7.4.0 =======================
 
diff --git a/lucene/core/src/test/org/apache/lucene/index/TestIndexWriter.java b/lucene/core/src/test/org/apache/lucene/index/TestIndexWriter.java
index 967055ed852..72bd52933bd 100644
--- a/lucene/core/src/test/org/apache/lucene/index/TestIndexWriter.java
+++ b/lucene/core/src/test/org/apache/lucene/index/TestIndexWriter.java
@@ -49,6 +49,7 @@ import org.apache.lucene.analysis.CannedTokenStream;
 import org.apache.lucene.analysis.MockAnalyzer;
 import org.apache.lucene.analysis.MockTokenFilter;
 import org.apache.lucene.analysis.MockTokenizer;
+import org.apache.lucene.analysis.Token;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.Tokenizer;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
@@ -3500,4 +3501,18 @@ public class TestIndexWriter extends LuceneTestCase {
     w.close();
     dir.close();
   }
+
+  public void testBrokenPayload() throws Exception {
+    Directory d = newDirectory();
+    IndexWriter w = new IndexWriter(d, newIndexWriterConfig(new MockAnalyzer(random())));
+    Document doc = new Document();
+    Token token = new Token("bar", 0, 3);
+    BytesRef evil = new BytesRef(new byte[1024]);
+    evil.offset = 1000; // offset + length is now out of bounds.
+    token.setPayload(evil);
+    doc.add(new TextField("foo", new CannedTokenStream(token)));
+    expectThrows(IndexOutOfBoundsException.class, () -> w.addDocument(doc));
+    w.close();
+    d.close();
+  }
 }