Code review request for 6990094 "ObjectInputStream cloneArray doesn't handle short[]"
Peter Jones
pcj at roundroom.net
Mon Dec 6 16:03:24 UTC 2010
On Mon, Dec 6, 2010 at 2:35 AM, Joe Darcy <joe.darcy at oracle.com> wrote:
> Off-list, Alan found the a related closed test and Stuart and I have
> developed an explicit test that tickles this bug:
>
> http://cr.openjdk.java.net/~darcy/6990094.1/
Looks good to me.
On Mon, Dec 6, 2010 at 3:10 AM, Rémi Forax <forax at univ-mlv.fr> wrote:
> Hi Joe,
> In the test, I don't see why the replacement field has to be static in
> Resolver.
> In my opinion, a private final field is sufficient.
I don't know on what instance you would set such an instance field, to
control the exact reference returned by invoking readUnshared on a
deserialized instance. The attack scenario addressed by the original
bug fix would likely use a static field similarly.
-- Peter
More information about the core-libs-dev
mailing list