Functional changes for java.io.[ILO]* ojdk8 port
- Change in ObjectInputStream.readSerialData. hg log points to change with "Serialize OIS data" in the topic. I found some links between topic and CVE-2015-2590, probably a security fix. The functional result of this change is: if there's an ClassNotFoundException for the current object's handle then the de-serialized fields are not copied/set into the current object. Sadly, I failed to produce the test case where object can be instantiated and has an exception waiting for it. - ObjectInputStream.readExternalData added activeThread== context.thread checks. - ObjectOutputStream.defaultWriteFields added a Conservative isInstance check. - ObjectOutputStream class checks protecting from NPE when writing a class descriptor object to a custom ObjectOutputStream. Test: cts run of CtsLibcoreTestCases Bug: 31237296 Change-Id: I315a71d8aad836bcb5ecbdd853b2d0f01adaf0f1
Loading
Please sign in to comment