diff --git a/src/java.base/share/classes/java/io/ObjectInputStream.java b/src/java.base/share/classes/java/io/ObjectInputStream.java index 10e312b8ab0..e8a81e976be 100644 --- a/src/java.base/share/classes/java/io/ObjectInputStream.java +++ b/src/java.base/share/classes/java/io/ObjectInputStream.java @@ -1858,6 +1858,8 @@ public class ObjectInputStream break; case TC_REFERENCE: descriptor = (ObjectStreamClass) readHandle(unshared); + // Should only reference initialized class descriptors + descriptor.checkInitialized(); break; case TC_PROXYCLASSDESC: descriptor = readProxyDesc(unshared); diff --git a/src/java.base/share/classes/java/io/ObjectStreamClass.java b/src/java.base/share/classes/java/io/ObjectStreamClass.java index 99240b5f1ba..1a1fd7e397a 100644 --- a/src/java.base/share/classes/java/io/ObjectStreamClass.java +++ b/src/java.base/share/classes/java/io/ObjectStreamClass.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -885,6 +885,17 @@ public class ObjectStreamClass implements Serializable { throw new InternalError("Unexpected call when not initialized"); } + /** + * Throws InvalidClassException if not initialized. + * To be called in cases where an uninitialized class descriptor indicates + * a problem in the serialization stream. + */ + final void checkInitialized() throws InvalidClassException { + if (!initialized) { + throw new InvalidClassException("Class descriptor should be initialized"); + } + } + /** * Throws an InvalidClassException if object instances referencing this * class descriptor should not be allowed to deserialize. This method does