8282252: Improve BigInteger/Decimal validation

Reviewed-by: jboes, rhalade, skoivu, bpb, smarks

src/java.base/share/classes/java/math/BigDecimal.java

@@ -31,6 +31,10 @@ package java.math;
 
 import static java.math.BigInteger.LONG_MASK;
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamException;
+import java.io.StreamCorruptedException;
 import java.util.Arrays;
 import java.util.Objects;
 
@@ -1047,6 +1051,15 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
         this.precision = prec;
     }
 
+    /**
+     * Accept no subclasses.
+     */
+    private static BigInteger toStrictBigInteger(BigInteger val) {
+        return (val.getClass() == BigInteger.class) ?
+            val :
+            new BigInteger(val.toByteArray().clone());
+    }
+
     /**
      * Translates a {@code BigInteger} into a {@code BigDecimal}.
      * The scale of the {@code BigDecimal} is zero.
@@ -1056,8 +1069,8 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
      */
     public BigDecimal(BigInteger val) {
         scale = 0;
-        intVal = val;
-        intCompact = compactValFor(val);
+        intVal = toStrictBigInteger(val);
+        intCompact = compactValFor(intVal);
     }
 
     /**
@@ -1071,7 +1084,7 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
      * @since  1.5
      */
     public BigDecimal(BigInteger val, MathContext mc) {
-        this(val,0,mc);
+        this(toStrictBigInteger(val), 0, mc);
     }
 
     /**
@@ -1085,8 +1098,8 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
      */
     public BigDecimal(BigInteger unscaledVal, int scale) {
         // Negative scales are now allowed
-        this.intVal = unscaledVal;
-        this.intCompact = compactValFor(unscaledVal);
+        this.intVal = toStrictBigInteger(unscaledVal);
+        this.intCompact = compactValFor(this.intVal);
         this.scale = scale;
     }
 
@@ -1104,6 +1117,7 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
      * @since  1.5
      */
     public BigDecimal(BigInteger unscaledVal, int scale, MathContext mc) {
+        unscaledVal = toStrictBigInteger(unscaledVal);
         long compactVal = compactValFor(unscaledVal);
         int mcp = mc.precision;
         int prec = 0;
@@ -4253,9 +4267,13 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
                 = unsafe.objectFieldOffset(BigDecimal.class, "intCompact");
         private static final long intValOffset
                 = unsafe.objectFieldOffset(BigDecimal.class, "intVal");
+        private static final long scaleOffset
+                = unsafe.objectFieldOffset(BigDecimal.class, "scale");
 
-        static void setIntCompact(BigDecimal bd, long val) {
-            unsafe.putLong(bd, intCompactOffset, val);
+        static void setIntValAndScale(BigDecimal bd, BigInteger intVal, int scale) {
+            unsafe.putReference(bd, intValOffset, intVal);
+            unsafe.putInt(bd, scaleOffset, scale);
+            unsafe.putLong(bd, intCompactOffset, compactValFor(intVal));
         }
 
         static void setIntValVolatile(BigDecimal bd, BigInteger val) {
@@ -4274,15 +4292,30 @@ public class BigDecimal extends Number implements Comparable<BigDecimal> {
     @java.io.Serial
     private void readObject(java.io.ObjectInputStream s)
         throws IOException, ClassNotFoundException {
-        // Read in all fields
-        s.defaultReadObject();
-        // validate possibly bad fields
-        if (intVal == null) {
-            String message = "BigDecimal: null intVal in stream";
-            throw new java.io.StreamCorruptedException(message);
-        // [all values of scale are now allowed]
+        // prepare to read the fields
+        ObjectInputStream.GetField fields = s.readFields();
+        BigInteger serialIntVal = (BigInteger) fields.get("intVal", null);
+
+        // Validate field data
+        if (serialIntVal == null) {
+            throw new StreamCorruptedException("Null or missing intVal in BigDecimal stream");
         }
-        UnsafeHolder.setIntCompact(this, compactValFor(intVal));
+        // Validate provenance of serialIntVal object
+        serialIntVal = toStrictBigInteger(serialIntVal);
+
+        // Any integer value is valid for scale
+        int serialScale = fields.get("scale", 0);
+
+        UnsafeHolder.setIntValAndScale(this, serialIntVal, serialScale);
+    }
+
+    /**
+     * Serialization without data not supported for this class.
+     */
+    @java.io.Serial
+    private void readObjectNoData()
+        throws ObjectStreamException {
+        throw new InvalidObjectException("Deserialized BigDecimal objects need data");
     }
 
    /**