From aa80a72041f7ab987cf3bce2984d2cb0c29534c9 Mon Sep 17 00:00:00 2001
From: Oliver Kopp <kopp.dev@gmail.com>
Date: Wed, 22 May 2024 06:21:00 +0200
Subject: [PATCH] Sanitize input for substring$ (#11322)

---
 .../java/org/jabref/logic/bst/BstFunctions.java  | 16 +++++++++-------
 .../org/jabref/logic/bst/BstFunctionsTest.java   |  3 ++-
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/main/java/org/jabref/logic/bst/BstFunctions.java b/src/main/java/org/jabref/logic/bst/BstFunctions.java
index 3eab0713a87..2d4b286dd94 100644
--- a/src/main/java/org/jabref/logic/bst/BstFunctions.java
+++ b/src/main/java/org/jabref/logic/bst/BstFunctions.java
@@ -711,12 +711,9 @@ void bstSubstring(BstVMVisitor visitor, ParserRuleContext ctx) {
             length = Integer.MAX_VALUE / 2;
         }
 
-        if (start > (Integer.MAX_VALUE / 2)) {
-            start = Integer.MAX_VALUE / 2;
-        }
-
-        if (start < (Integer.MIN_VALUE / 2)) {
-            start = -Integer.MIN_VALUE / 2;
+        if ((start > string.length()) || (start < -string.length())) {
+            stack.push("");
+            return;
         }
 
         if (start < 0) {
@@ -726,7 +723,12 @@ void bstSubstring(BstVMVisitor visitor, ParserRuleContext ctx) {
         }
 
         int zeroBasedStart = start - 1;
-        String result = string.substring(zeroBasedStart, Math.min(zeroBasedStart + length, string.length()));
+        int zeroBasedEnd = Math.min(zeroBasedStart + length, string.length());
+
+        // Sanitize too large start values
+        zeroBasedStart = Math.min(zeroBasedStart, zeroBasedEnd);
+
+        String result = string.substring(zeroBasedStart, zeroBasedEnd);
 
         LOGGER.trace("substring$(s, start, len): ({}, {}, {})={}", string, start, length, result);
         stack.push(result);
diff --git a/src/test/java/org/jabref/logic/bst/BstFunctionsTest.java b/src/test/java/org/jabref/logic/bst/BstFunctionsTest.java
index 769fe7dd999..a829e33c0b8 100644
--- a/src/test/java/org/jabref/logic/bst/BstFunctionsTest.java
+++ b/src/test/java/org/jabref/logic/bst/BstFunctionsTest.java
@@ -213,7 +213,8 @@ public void substring() throws RecognitionException {
             "abc, abcd, -2, 2147483647",
             "b, abcd, -3, 1",
             "a, abcd, -4, 1",
-            "'', abcd, -5, 1" // invalid number -5
+            "'', abcd, -5, 1",                    // invalid number -5
+            "'', abcd, -2147483647, 2147483647",  // invalid number
     })
     void substringPlain(String expected, String full, Integer start, Integer length) {
         BstVMContext bstVMContext = new BstVMContext(List.of(), new BibDatabase(), Path.of("404.bst"));