diff options
author | Neil Fuller <nfuller@google.com> | 2014-06-25 17:54:12 +0100 |
---|---|---|
committer | Paul Kocialkowski <contact@paulk.fr> | 2015-08-30 23:04:25 +0200 |
commit | 74ebabb6156cd62e8fb877f08caf3c88f357fdcd (patch) | |
tree | 019bc345af31fd3e83d6b8978b3849d964c0f8c4 /luni/src/main/java/java/io/ObjectInputStream.java | |
parent | b32087cc78dfd13aac9e6476266cf211b179af2f (diff) | |
download | libcore-replicant-4.2.zip libcore-replicant-4.2.tar.gz libcore-replicant-4.2.tar.bz2 |
Add additional checks in ObjectInputStreamreplicant-4.2-0004replicant-4.2
Thanks to Jann Horn for reporting a bug in ObjectInputStream
and sending the initial patch.
Add some checks that the class of an object
being deserialized still conforms to the requirements
for serialization.
Add some checks that the class being deserialized matches
the type information (enum, serializable, externalizable)
held in the stream.
Delayed static initialization of classes until the
type of the class has been validated against the stream
content in some cases.
Added more tests.
Bug: 15874291
(cherry picked from commit 738c833d38d41f8f76eb7e77ab39add82b1ae1e2)
Change-Id: I9f5437ed60936882de56589537176466624e631d
Signed-off-by: Neil Fuller <nfuller@google.com>
Tested-by: Moritz Bandemer <replicant@posteo.mx>
Diffstat (limited to 'luni/src/main/java/java/io/ObjectInputStream.java')
-rw-r--r-- | luni/src/main/java/java/io/ObjectInputStream.java | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/luni/src/main/java/java/io/ObjectInputStream.java b/luni/src/main/java/java/io/ObjectInputStream.java index 0476901..963b7e9 100644 --- a/luni/src/main/java/java/io/ObjectInputStream.java +++ b/luni/src/main/java/java/io/ObjectInputStream.java @@ -1078,7 +1078,8 @@ public class ObjectInputStream extends InputStream implements ObjectInput, Objec * @see #readFields * @see #readObject() */ - private void readFieldValues(Object obj, ObjectStreamClass classDesc) throws OptionalDataException, ClassNotFoundException, IOException { + private void readFieldValues(Object obj, ObjectStreamClass classDesc) + throws OptionalDataException, ClassNotFoundException, IOException { // Now we must read all fields and assign them to the receiver ObjectStreamField[] fields = classDesc.getLoadFields(); fields = (fields == null) ? ObjectStreamClass.NO_FIELDS : fields; @@ -1602,6 +1603,9 @@ public class ObjectInputStream extends InputStream implements ObjectInput, Objec ClassNotFoundException, IOException { // read classdesc for Enum first ObjectStreamClass classDesc = readEnumDesc(); + + Class enumType = classDesc.checkAndGetTcEnumClass(); + int newHandle = nextHandle(); // read name after class desc String name; @@ -1623,9 +1627,11 @@ public class ObjectInputStream extends InputStream implements ObjectInput, Objec Enum<?> result; try { - result = Enum.valueOf((Class) classDesc.forClass(), name); + result = Enum.valueOf(enumType, name); } catch (IllegalArgumentException e) { - throw new InvalidObjectException(e.getMessage()); + InvalidObjectException ioe = new InvalidObjectException(e.getMessage()); + ioe.initCause(e); + throw ioe; } registerObjectRead(result, newHandle, unshared); return result; @@ -1809,9 +1815,10 @@ public class ObjectInputStream extends InputStream implements ObjectInput, Objec throw missingClassDescriptor(); } + Class<?> objectClass = classDesc.checkAndGetTcObjectClass(); + int newHandle = nextHandle(); - Class<?> objectClass = classDesc.forClass(); - Object result = null; + Object result; Object registeredResult = null; if (objectClass != null) { // Now we know which class to instantiate and which constructor to @@ -2100,8 +2107,7 @@ public class ObjectInputStream extends InputStream implements ObjectInput, Objec * if the source stream does not contain readable serialized * objects. */ - protected void readStreamHeader() throws IOException, - StreamCorruptedException { + protected void readStreamHeader() throws IOException, StreamCorruptedException { if (input.readShort() == STREAM_MAGIC && input.readShort() == STREAM_VERSION) { return; @@ -2301,7 +2307,7 @@ public class ObjectInputStream extends InputStream implements ObjectInput, Objec // not primitive class // Use the first non-null ClassLoader on the stack. If null, use // the system class loader - cls = Class.forName(className, true, callerClassLoader); + cls = Class.forName(className, false, callerClassLoader); } } return cls; @@ -2375,8 +2381,7 @@ public class ObjectInputStream extends InputStream implements ObjectInput, Objec throws InvalidClassException { Class<?> localClass = loadedStreamClass.forClass(); - ObjectStreamClass localStreamClass = ObjectStreamClass - .lookupStreamClass(localClass); + ObjectStreamClass localStreamClass = ObjectStreamClass.lookupStreamClass(localClass); if (loadedStreamClass.getSerialVersionUID() != localStreamClass .getSerialVersionUID()) { |