This is an automated email from the ASF dual-hosted git repository.
garydgregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-lang.git
The following commit(s) were added to refs/heads/master by this push:
new 060ab31e5 reject doubled leading sign in createBigInteger (#1702)
060ab31e5 is described below
commit 060ab31e517d856292e97428345821b5b289249a
Author: alhuda <[email protected]>
AuthorDate: Sat Jun 13 17:17:41 2026 +0530
reject doubled leading sign in createBigInteger (#1702)
Co-authored-by: alhudz <[email protected]>
---
src/main/java/org/apache/commons/lang3/math/NumberUtils.java | 5 +++++
.../java/org/apache/commons/lang3/math/NumberUtilsTest.java | 11 +++++++++++
2 files changed, 16 insertions(+)
diff --git a/src/main/java/org/apache/commons/lang3/math/NumberUtils.java
b/src/main/java/org/apache/commons/lang3/math/NumberUtils.java
index b3991cf15..11e45c032 100644
--- a/src/main/java/org/apache/commons/lang3/math/NumberUtils.java
+++ b/src/main/java/org/apache/commons/lang3/math/NumberUtils.java
@@ -232,6 +232,11 @@ public static BigInteger createBigInteger(final String
str) {
radix = 8;
pos++;
} // default is to treat as decimal
+ if (str.startsWith("-", pos) || str.startsWith("+", pos)) {
+ // a second sign here (e.g. "--1") is not a number; new
BigInteger(String) would otherwise
+ // consume it and silently flip the sign.
Integer.decode/Long.decode reject this the same way.
+ throw new NumberFormatException("Sign character in wrong
position");
+ }
final BigInteger value = new BigInteger(str.substring(pos), radix);
return negate ? value.negate() : value;
}
diff --git a/src/test/java/org/apache/commons/lang3/math/NumberUtilsTest.java
b/src/test/java/org/apache/commons/lang3/math/NumberUtilsTest.java
index 8d7136260..a3d270645 100644
--- a/src/test/java/org/apache/commons/lang3/math/NumberUtilsTest.java
+++ b/src/test/java/org/apache/commons/lang3/math/NumberUtilsTest.java
@@ -483,6 +483,13 @@ void testCreateBigInteger() {
assertEquals(new BigInteger("+FFFFFFFFFFFFFFFF", 16),
NumberUtils.createBigInteger("+0xFFFFFFFFFFFFFFFF"));
assertEquals(new BigInteger("+FFFFFFFFFFFFFFFF", 16),
NumberUtils.createBigInteger("+#FFFFFFFFFFFFFFFF"));
assertEquals(new BigInteger("+1234567", 8),
NumberUtils.createBigInteger("+01234567"));
+ // a doubled sign is not a valid number
+ testCreateBigIntegerFailure("--1");
+ testCreateBigIntegerFailure("-+1");
+ testCreateBigIntegerFailure("+-1");
+ testCreateBigIntegerFailure("++1");
+ testCreateBigIntegerFailure("--010");
+ testCreateBigIntegerFailure("-0x-1");
}
protected void testCreateBigIntegerFailure(final String str) {
@@ -790,6 +797,10 @@ void testIsCreatable() {
compareIsCreatableWithCreateNumber(" ", false);
compareIsCreatableWithCreateNumber("\r\n\t", false);
compareIsCreatableWithCreateNumber("--2.3", false);
+ compareIsCreatableWithCreateNumber("--2", false);
+ compareIsCreatableWithCreateNumber("-+2", false);
+ compareIsCreatableWithCreateNumber("+-2", false);
+ compareIsCreatableWithCreateNumber("++2", false);
compareIsCreatableWithCreateNumber(".12.3", false);
compareIsCreatableWithCreateNumber("-123E", false);
compareIsCreatableWithCreateNumber("-123E+-212", false);
