Skip to content

Reject out-of-range long and float values in NumberConverter#404

Open
rootvector2 wants to merge 1 commit into
apache:masterfrom
rootvector2:numberconverter-long-float-range
Open

Reject out-of-range long and float values in NumberConverter#404
rootvector2 wants to merge 1 commit into
apache:masterfrom
rootvector2:numberconverter-long-float-range

Conversation

@rootvector2

@rootvector2 rootvector2 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

NumberConverter.toNumber(Class, Number) range-checks the byte/short/int branches but the Long branch has no bounds check and the Float branch only checks the upper bound, so an out-of-range value (for example a locale-parsed string past long range, which DecimalFormat returns as a Double) is silently clamped to Long.MAX_VALUE or to -Infinity instead of throwing; found while auditing the numeric converters, fixed by adding the missing bounds checks next to the existing ones.

  • Read the contribution guidelines for this project.
  • Read the ASF Generative Tooling Guidance if you use Artificial Intelligence (AI).
  • I used AI to create any part of, or all of, this pull request. Which AI tool was used to create this pull request, and to what extent did it contribute?
  • Run a successful build using the default Maven goal with mvn; that's mvn on the command line by itself.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. This may not always be possible, but it is a best practice.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body. Note that a maintainer may squash commits during the merge process.

@rootvector2
reject out-of-range long and float values in NumberConverter
95cb983 
The Long branch had no bounds check and the Float branch checked only the upper bound, so out-of-range input was silently clamped to Long.MAX_VALUE or to -Infinity instead of throwing. Add the missing checks mirroring the byte/short/int branches.
@garydgregory garydgregory changed the title reject out-of-range long and float values in NumberConverter Reject out-of-range long and float values in NumberConverter Jun 25, 2026
garydgregory
garydgregory reviewed Jun 25, 2026
View reviewed changes

@garydgregory garydgregory left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @rootvector2
Please see my 2 comments.

Comment thread src/main/java/org/apache/commons/beanutils2/converters/NumberConverter.java
if (value.doubleValue() > Float.MAX_VALUE) {
throw ConversionException.format("%s value '%s' is too large for %s", toString(sourceType), value, toString(targetType));
}
if (value.doubleValue() < -Float.MAX_VALUE) {

@garydgregory garydgregory Jun 25, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we not using MIN_VALUE here?

@rootvector2 rootvector2 Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Float.MIN_VALUE is the smallest positive value (1.4E-45), not the most negative one, so it can't serve as the lower bound. The most negative finite float is -Float.MAX_VALUE. The Long branch above can use Long.MIN_VALUE because for integral types that is the most negative value, but for floating point types it isn't.

Comment thread src/test/java/org/apache/commons/beanutils2/converters/FloatConverterTest.java
// Maximum
assertEquals(Float.valueOf(Float.MAX_VALUE), converter.convert(clazz, max), "Maximum");
// Minimum
assertEquals(Float.valueOf(-Float.MAX_VALUE), converter.convert(clazz, min), "Minimum");

@garydgregory garydgregory Jun 25, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we not using MIN_VALUE here?

@rootvector2 rootvector2 Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same reason as in the converter: Float.MIN_VALUE is the smallest positive value, not the most negative, so the lowest representable float is -Float.MAX_VALUE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garydgregory garydgregory garydgregory left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rootvector2 @garydgregory