Fix a potential problem in JavaTimeModule._findFactory() (#381)

* Update JavaTimeModule.java

Validate the order of the argument types against the order of the parameters. The previous version ignored mismatches and returned the first method with the correct name and correct number of parameters regardless of parameter types.

Author: AlbertLovers

datetime/src/main/java/com/fasterxml/jackson/datatype/jsr310/JavaTimeModule.java

@@ -266,21 +266,27 @@ protected AnnotatedMethod _findFactory(AnnotatedClass cls, String name, Class<?>
     {
         final int argCount = argTypes.length;
         for (AnnotatedMethod method : cls.getFactoryMethods()) {
-            if (!name.equals(method.getName())
-                    || (method.getParameterCount() != argCount)) {
-                continue;
+            if (name.equals(method.getName())
+                    && (method.getParameterCount() == argCount)
+                    && _allArgTypesMatch(argTypes, method)) {
+                    return method;
             }
-            for (int i = 0; i < argCount; ++i) {
-                Class<?> argType = method.getParameter(i).getRawType();
-                if (!argType.isAssignableFrom(argTypes[i])) {
-                    continue;
-                }
-            }
-            return method;
         }
         return null;
     }
 
+    // @since 2.21
+    private boolean _allArgTypesMatch(Class<?>[] expectedArgTypes, AnnotatedMethod method)
+    {
+        for (int i = 0, len = expectedArgTypes.length; i < len; ++i) {
+            Class<?> argType = method.getParameter(i).getRawType();
+            if (!argType.isAssignableFrom(expectedArgTypes[i])) {
+                return false;
+            }
+        }
+        return true;
+    }
+
     /**
      * Container for serializers, with one tweak; specific lookup we need to deal
      * with specific {@code TemporalAdjuster} closure subtypes.

release-notes/CREDITS-2.x

@@ -222,11 +222,15 @@ Joey Muia (@jmuia)
   `WRITE_DURATIONS_AS_TIMESTAMPS` enabled
   (2.19.0)
 
-Henning Pöttker (@ hpoettker)
+Henning Pöttker (@hpoettker)
  * Contributed #342: Lenient deserialization of `LocalDate` is not time-zone aware
   (2.19.0)
 
 Boleslav Bobcik (@bbobcik)
  * Reported, contributed fix for #364: Deserialization of Month in ONE_BASED_MONTHS
    mode fails for value "12"
   (2.19.0)
+
+Albert Lovers (@AlbertLovers)
+ * Reported, contributed fix for #381: Fix a potential problem in `JavaTimeModule._findFactory()`
+  (2.21.0)

release-notes/VERSION-2.x

@@ -17,8 +17,8 @@ Modules:
 #376: Allow specifying custom `DateTimeFormatter` for `OffsetDateTime` ser/deser
   (new constructors?)
  (requested by @ZIRAKrezovic)
-
-No changes since 2.20
+#381: Fix a potential problem in `JavaTimeModule._findFactory()`
+ (reported, fix by, Albert L)
 
 2.20.1 (30-Oct-2025)
 2.20.0 (28-Aug-2025)