RFR: 8306461: ObjectInputStream::readObject() should handle negative array sizes without throwing NegativeArraySizeExceptions
Volker Simonis
simonis at openjdk.org
Mon Apr 24 14:41:59 UTC 2023
On Wed, 19 Apr 2023 16:47:33 GMT, Volker Simonis <simonis at openjdk.org> wrote:
> This issue was reported by: Yakov Shafranovich ([yakovsh at amazon.com](mailto:yakovsh at amazon.com))
>
> Currently, `ObjectInputStream::readObject()` doesn't explicitly checks for a negative array length in the deserialization stream. Instead it calls `j.l.r.Array::newInstance(..)` with the negative length which results in a `NegativeArraySizeException`. NegativeArraySizeException is an unchecked exception which is neither declared in the signature of `ObjectInputStream::readObject()` nor mentioned in its API specification. It is therefore not obvious for users of `ObjectInputStream::readObject()` that they may have to handle `NegativeArraySizeException`s. It would therefor be better if a negative array length in the deserialization stream would be automatically wrapped in an `InvalidClassException` which is a checked exception (derived from `IOException` via `ObjectStreamException`) and declared in the signature of `ObjectInputStream::readObject()`.
>
> If we do the negative array length check in `ObjectInputStream::readObject()` before filtering, this will then also fix `ObjectInputFilter.FilterInfo::arrayLength()` which is defined as:
>
> Returns:
> the non-negative number of array elements when deserializing an array of the class, otherwise -1
>
> but currently returns a negative value if the array length is negative.
Hi @turbanoff, @shipilev and @RogerRiggs,
Thanks for your reviews so far. I've hopefully addressed them all. I've also created a CSR for the issue:
https://bugs.openjdk.org/browse/JDK-8306744
Please feel free to review it :)
-------------
PR Comment: https://git.openjdk.org/jdk/pull/13540#issuecomment-1520290530
More information about the core-libs-dev
mailing list