From: joehni <joerg.schaible@gmx.de>
Date: Wed, 18 Sep 2024 20:19:13 +0200
Subject: CVE-2024-47072

This vulnerability may allow a remote attacker to terminate the application
with a stack overflow error resulting in a denial of service only
by manipulating the processed input stream when XStream is configured
to use the BinaryStreamDrive

origin: backport, https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
bug: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
---
 .../xstream/io/binary/BinaryStreamReader.java          | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
index 2839651..cd870cd 100644
--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
 import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 import com.thoughtworks.xstream.io.StreamException;
+import com.thoughtworks.xstream.security.InputManipulationException;
 
 import java.io.DataInputStream;
 import java.io.IOException;
@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
     private Token readToken() {
         if (pushback == null) {
             try {
-                Token token = tokenFormatter.read(in);
-                switch (token.getType()) {
+                boolean mapping = false;
+                do {
+                    final Token token = tokenFormatter.read(in);
+                    switch (token.getType()) {
                     case Token.TYPE_MAP_ID_TO_VALUE:
                         idRegistry.put(token.getId(), token.getValue());
-                        return readToken(); // Next one please.
+                        mapping ^= true;
+                        continue; // Next one please.
                     default:
                         return token;
-                }
-            } catch (IOException e) {
+                    }
+                } while (mapping);
+                throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
+            } catch (final IOException e) {
                 throw new StreamException(e);
             }
         } else {