RFR: 8306461: ObjectInputStream::readObject() should handle negative array sizes without throwing NegativeArraySizeExceptions
Volker Simonis
simonis at openjdk.org
Mon Apr 24 11:54:57 UTC 2023
On Thu, 20 Apr 2023 18:44:54 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> src/java.base/share/classes/java/io/ObjectInputStream.java line 2142:
>>
>>> 2140: int len = bin.readInt();
>>> 2141: if (len < 0) {
>>> 2142: throw new InvalidClassException(desc.getName(), "Array length < 0 (" + len + ")");
>>
>> Suggestion:
>>
>> throw new InvalidClassException(desc.getName(), "Array length (" + len + ") is negative");
>
> I'd keep the exception logic simple/minimal. Especially since this is a manual and exceptional case that is not the result of any input provided through an API.
>
> throw new InvalidClassException(desc.getName(), "Array length is negative");
Done.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13540#discussion_r1175170526
More information about the core-libs-dev
mailing list