修复NumberUtil.toBigDecimal方法报StackOverflowError(CVE-2023-51080)

hutool-core/src/main/java/cn/hutool/core/util/NumberUtil.java

@@ -2153,8 +2153,8 @@ public class NumberUtil {
 		if (number instanceof BigDecimal) {
 			return toStr((BigDecimal) number, isStripTrailingZeros);
 		}
-
 		Assert.isTrue(isValidNumber(number), "Number is non-finite!");
+
 		// 去掉小数点儿后多余的0
 		String string = number.toString();
 		if (isStripTrailingZeros) {
@@ -2212,6 +2212,8 @@ public class NumberUtil {
 		if (null == number) {
 			return BigDecimal.ZERO;
 		}
+		// issue#3423@Github of CVE-2023-51080
+		Assert.isTrue(isValidNumber(number), "Number is invalid!");
 
 		if (number instanceof BigDecimal) {
 			return (BigDecimal) number;
@@ -2247,7 +2249,8 @@ public class NumberUtil {
 		}
 
 		// 支持类似于 1,234.55 格式的数字
-		return toBigDecimal(parseNumber(numberStr));
+		final Number number = parseNumber(numberStr);
+		return toBigDecimal(number);
 	}
 
 	/**
@@ -2269,6 +2272,7 @@ public class NumberUtil {
 			return BigInteger.valueOf((Long) number);
 		}
 
+		Assert.isTrue(isValidNumber(number), "Number is invalid!");
 		return toBigInteger(number.longValue());
 	}
 

hutool-core/src/test/java/cn/hutool/core/util/Issue3423Test.java

@@ -0,0 +1,24 @@
+package cn.hutool.core.util;
+
+import cn.hutool.core.lang.Console;
+import org.junit.Test;
+
+import java.text.DecimalFormat;
+import java.text.NumberFormat;
+import java.text.ParseException;
+
+public class Issue3423Test {
+
+	@Test(expected = IllegalArgumentException.class)
+	public void toBigDecimalOfNaNTest() {
+		NumberUtil.toBigDecimal("NaN");
+	}
+
+	@Test
+	public void toBigDecimalOfNaNTest2() throws ParseException {
+		final NumberFormat format = NumberFormat.getInstance();
+		((DecimalFormat) format).setParseBigDecimal(true);
+		final Number naN = format.parse("NaN");
+		Console.log(naN.getClass());
+	}
+}