Fix silent overflow when coercing JSON numbers to integral types

seethinajayadileep · seethinajayadileep · commit adc1f7e09485 · 2026-03-05T12:09:36.000+05:30
diff --git a/java/src/org/openqa/selenium/json/JsonInput.java b/java/src/org/openqa/selenium/json/JsonInput.java
@@ -263,7 +263,7 @@ public Number nextNumber() {
         return Long.valueOf(builder.toString());
       }
 
-      return new BigDecimal(builder.toString()).doubleValue();
+      return new BigDecimal(builder.toString());
     } catch (NumberFormatException e) {
       throw new JsonException("Unable to parse to a number: " + builder + ". " + input, e);
     }
diff --git a/java/src/org/openqa/selenium/json/NumberCoercer.java b/java/src/org/openqa/selenium/json/NumberCoercer.java
@@ -19,6 +19,8 @@
 
 import java.io.StringReader;
 import java.lang.reflect.Type;
+import java.math.BigDecimal;
+import java.math.BigInteger;
 import java.util.Map;
 import java.util.function.BiFunction;
 import java.util.function.Function;
@@ -80,7 +82,51 @@ public BiFunction<JsonInput, PropertySetting, T> apply(Type ignored) {
         default:
           throw new JsonException("Unable to coerce to a number: " + jsonInput.peek());
       }
+      validateIntegralRange(number, stereotype);
       return mapper.apply(number);
     };
   }
+
+  private static void validateIntegralRange(Number number, Class<?> stereotype) {
+    // Only for integral targets
+    if (!(stereotype == Byte.class
+        || stereotype == Short.class
+        || stereotype == Integer.class
+        || stereotype == Long.class)) {
+      return;
+    }
+
+    final BigInteger value;
+    try {
+      // Parses "2147483648", "1e3", "1.0" safely; rejects "1.2"
+      BigDecimal bd =
+          (number instanceof BigDecimal) ? (BigDecimal) number : new BigDecimal(number.toString());
+      value = bd.toBigIntegerExact();
+    } catch (RuntimeException e) {
+      throw new JsonException(
+          "Expected an integer value for " + stereotype.getSimpleName() + ": " + number, e);
+    }
+
+    BigInteger min;
+    BigInteger max;
+
+    if (stereotype == Byte.class) {
+      min = BigInteger.valueOf(Byte.MIN_VALUE);
+      max = BigInteger.valueOf(Byte.MAX_VALUE);
+    } else if (stereotype == Short.class) {
+      min = BigInteger.valueOf(Short.MIN_VALUE);
+      max = BigInteger.valueOf(Short.MAX_VALUE);
+    } else if (stereotype == Integer.class) {
+      min = BigInteger.valueOf(Integer.MIN_VALUE);
+      max = BigInteger.valueOf(Integer.MAX_VALUE);
+    } else { // Long.class
+      min = BigInteger.valueOf(Long.MIN_VALUE);
+      max = BigInteger.valueOf(Long.MAX_VALUE);
+    }
+
+    if (value.compareTo(min) < 0 || value.compareTo(max) > 0) {
+      throw new JsonException(
+          "Numeric value out of range for " + stereotype.getSimpleName() + ": " + value);
+    }
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -263,7 +263,7 @@ public Number nextNumber() {`
`263`	`263`	`return Long.valueOf(builder.toString());`
`264`	`264`	`}`
`265`	`265`
`266`		`- return new BigDecimal(builder.toString()).doubleValue();`
	`266`	`+ return new BigDecimal(builder.toString());`
`267`	`267`	`} catch (NumberFormatException e) {`
`268`	`268`	`throw new JsonException("Unable to parse to a number: " + builder + ". " + input, e);`
`269`	`269`	`}`