diff --git a/src/java.base/share/classes/java/io/ObjectInputStream.java b/src/java.base/share/classes/java/io/ObjectInputStream.java index 14dfeea8ef0..52eaa427792 100644 --- a/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -31,6 +31,7 @@ import java.lang.System.Logger; import java.lang.invoke.MethodHandle; import java.lang.ref.ReferenceQueue; import java.lang.reflect.Array; +import java.lang.reflect.InvocationHandler; import java.lang.reflect.Modifier; import java.lang.reflect.Proxy; import java.security.AccessControlContext; @@ -50,6 +51,7 @@ import jdk.internal.access.SharedSecrets; import jdk.internal.misc.Unsafe; import sun.reflect.misc.ReflectUtil; import sun.security.action.GetBooleanAction; +import sun.security.action.GetIntegerAction; /** * An ObjectInputStream deserializes primitive data and objects previously @@ -303,6 +305,15 @@ public class ObjectInputStream */ static final boolean SET_FILTER_AFTER_READ = GetBooleanAction .privilegedGetProperty("jdk.serialSetFilterAfterRead"); + + /** + * Property to override the implementation limit on the number + * of interfaces allowed for Proxies. + * The maximum number of interfaces allowed for a proxy is limited to 65535 by + * {@link java.lang.reflect.Proxy#newProxyInstance(ClassLoader, Class[], InvocationHandler)}. + */ + static final int PROXY_INTERFACE_LIMIT = Math.min(65535, GetIntegerAction + .privilegedGetProperty("jdk.serialProxyInterfaceLimit", 65535)); } /* @@ -1915,14 +1926,23 @@ public class ObjectInputStream int numIfaces = bin.readInt(); if (numIfaces > 65535) { - throw new InvalidObjectException("interface limit exceeded: " - + numIfaces); + // Report specification limit exceeded + throw new InvalidObjectException("interface limit exceeded: " + + numIfaces + + ", limit: " + Caches.PROXY_INTERFACE_LIMIT); } String[] ifaces = new String[numIfaces]; for (int i = 0; i < numIfaces; i++) { ifaces[i] = bin.readUTF(); } + // Recheck against implementation limit and throw with interface names + if (numIfaces > Caches.PROXY_INTERFACE_LIMIT) { + throw new InvalidObjectException("interface limit exceeded: " + + numIfaces + + ", limit: " + Caches.PROXY_INTERFACE_LIMIT + + "; " + Arrays.toString(ifaces)); + } Class cl = null; ClassNotFoundException resolveEx = null; bin.setBlockDataMode(true); @@ -1945,6 +1965,11 @@ public class ObjectInputStream } } catch (ClassNotFoundException ex) { resolveEx = ex; + } catch (OutOfMemoryError memerr) { + IOException ex = new InvalidObjectException("Proxy interface limit exceeded: " + + Arrays.toString(ifaces)); + ex.initCause(memerr); + throw ex; } // Call filterCheck on the class before reading anything else