8306461: ObjectInputStream::readObject() should handle negative array sizes without throwing NegativeArraySizeExceptions

Co-authored-by: Yakov Shafranovich <yakovsh@amazon.com> Reviewed-by: shade, rriggs
2025-08-26 22:34:27 +02:00 · 2023-05-08 14:56:05 +00:00 · 2023-05-08 14:56:05 +00:00 · 4116b109f0
commit 4116b109f0
parent 93ee19f58a
3 changed files with 155 additions and 6 deletions
--- a/src/java.base/share/classes/java/io/ObjectInputStream.java
+++ b/src/java.base/share/classes/java/io/ObjectInputStream.java
@ -1451,16 +1451,16 @@ public class ObjectInputStream
     * @param arrayLength the array length
     * @throws NullPointerException if arrayType is null
     * @throws IllegalArgumentException if arrayType isn't actually an array type
-     * @throws NegativeArraySizeException if arrayLength is negative
+     * @throws StreamCorruptedException if arrayLength is negative
     * @throws InvalidClassException if the filter rejects creation
     */
-    private void checkArray(Class<?> arrayType, int arrayLength) throws InvalidClassException {
+    private void checkArray(Class<?> arrayType, int arrayLength) throws ObjectStreamException {
        if (! arrayType.isArray()) {
            throw new IllegalArgumentException("not an array type");
        }

        if (arrayLength < 0) {
-            throw new NegativeArraySizeException();
+            throw new StreamCorruptedException("Array length is negative");
        }

        filterCheck(arrayType, arrayLength);
@ -2138,7 +2138,9 @@ public class ObjectInputStream

        ObjectStreamClass desc = readClassDesc(false);
        int len = bin.readInt();
-
+        if (len < 0) {
+            throw new StreamCorruptedException("Array length is negative");
+        }
        filterCheck(desc.forClass(), len);

        Object array = null;