Details
-
Bug
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
None
-
None
-
None
Description
SerializationUtils.deserialize(InputStream) transform the provided InputStream object into an ObjectInputStream object then call the readObject method of the newly created ObjectInputStream object. But there is one problem, the readObject method (and its underlying methods) will create an temporary array with the size provided from the data of the provided InputStream. Thus if the designated bytes of the InputStream object is negative and are used for the array creation. It will result in NegativeArraySizeException.
public static <T> T deserialize(final InputStream inputStream) { Objects.requireNonNull(inputStream, "inputStream"); try (ObjectInputStream in = new ObjectInputStream(inputStream)) { @SuppressWarnings("unchecked") final T obj = (T) in.readObject(); return obj; } catch (final ClassNotFoundException | IOException ex) { throw new SerializationException(ex); } }
Attachments
Issue Links
- links to