Merge

ebcd0f9e · asaha · 91f4f2db · edbdb3d6 · ebcd0f9e · ebcd0f9e
13 changed file
--- a/.hgtags
+++ b/.hgtags
@@ -723,6 +723,7 @@ c6c870e267de694bc85dc4af23a648824063f95b jdk8u151-b06
 8fd79358682edc86abaac1c839486834410be74b jdk8u151-b08
 a487770409082a3d1c4be9264e8eb02b1a41fe41 jdk8u151-b09
 7653488b327598fecd823b9b095a1c107b0a1429 jdk8u151-b10
+431c125e1231749e16427c280f115f93d699c0e1 jdk8u151-b11
 1442bc728814af451e2dd1a6719a64485d27e3a0 jdk8u122-b00
 f6030acfa5aec0e64d45adfac69b9e7e5c12bc74 jdk8u122-b01
 6b072c3a6db7ab06804c91aab77431799dfb5d47 jdk8u122-b02

--- a/src/share/classes/java/io/ObjectInputStream.java
+++ b/src/share/classes/java/io/ObjectInputStream.java
@@ -43,9 +43,9 @@ import java.util.concurrent.ConcurrentMap;

 import static java.io.ObjectStreamClass.processQueue;

+import sun.misc.SharedSecrets;
 import sun.misc.ObjectInputFilter;
 import sun.misc.ObjectStreamClassValidator;
-import sun.misc.SharedSecrets;
 import sun.reflect.misc.ReflectUtil;
 import sun.misc.JavaOISAccess;
 import sun.util.logging.PlatformLogger;
@@ -254,6 +254,12 @@ public class ObjectInputStream
            public ObjectInputFilter getObjectInputFilter(ObjectInputStream stream) {
                return stream.getInternalObjectInputFilter();
            }
+
+            public void checkArray(ObjectInputStream stream, Class<?> arrayType, int arrayLength)
+                throws InvalidClassException
+            {
+                stream.checkArray(arrayType, arrayLength);
+            }
        });
    }

@@ -1256,6 +1262,33 @@ public class ObjectInputStream
        }
    }

+    /**
+     * Checks the given array type and length to ensure that creation of such
+     * an array is permitted by this ObjectInputStream. The arrayType argument
+     * must represent an actual array type.
+     *
+     * This private method is called via SharedSecrets.
+     *
+     * @param arrayType the array type
+     * @param arrayLength the array length
+     * @throws NullPointerException if arrayType is null
+     * @throws IllegalArgumentException if arrayType isn't actually an array type
+     * @throws NegativeArraySizeException if arrayLength is negative
+     * @throws InvalidClassException if the filter rejects creation
+     */
+    private void checkArray(Class<?> arrayType, int arrayLength) throws InvalidClassException {
+        Objects.requireNonNull(arrayType);
+        if (! arrayType.isArray()) {
+            throw new IllegalArgumentException("not an array type");
+        }
+
+        if (arrayLength < 0) {
+            throw new NegativeArraySizeException();
+        }
+
+        filterCheck(arrayType, arrayLength);
+    }
+
    /**
     * Provide access to the persistent fields read from the input stream.
     */

--- a/src/share/classes/java/util/ArrayDeque.java
+++ b/src/share/classes/java/util/ArrayDeque.java
@@ -36,6 +36,7 @@ package java.util;

 import java.io.Serializable;
 import java.util.function.Consumer;
+import sun.misc.SharedSecrets;

 /**
 * Resizable-array implementation of the {@link Deque} interface.  Array
@@ -118,12 +119,7 @@ public class ArrayDeque<E> extends AbstractCollection<E>

    // ******  Array allocation and resizing utilities ******

-    /**
-     * Allocates empty array to hold the given number of elements.
-     *
-     * @param numElements  the number of elements to hold
-     */
-    private void allocateElements(int numElements) {
+    private static int calculateSize(int numElements) {
        int initialCapacity = MIN_INITIAL_CAPACITY;
        // Find the best power of two to hold elements.
        // Tests "<=" because arrays aren't kept full.
@@ -139,7 +135,16 @@ public class ArrayDeque<E> extends AbstractCollection<E>
            if (initialCapacity < 0)   // Too many elements, must back off
                initialCapacity >>>= 1;// Good luck allocating 2 ^ 30 elements
        }
-        elements = new Object[initialCapacity];
+        return initialCapacity;
+    }
+
+    /**
+     * Allocates empty array to hold the given number of elements.
+     *
+     * @param numElements  the number of elements to hold
+     */
+    private void allocateElements(int numElements) {
+        elements = new Object[calculateSize(numElements)];
    }

    /**
@@ -879,6 +884,8 @@ public class ArrayDeque<E> extends AbstractCollection<E>

        // Read in size and allocate array
        int size = s.readInt();
+        int capacity = calculateSize(size);
+        SharedSecrets.getJavaOISAccess().checkArray(s, Object[].class, capacity);
        allocateElements(size);
        head = 0;
        tail = size;

--- a/src/share/classes/java/util/ArrayList.java
+++ b/src/share/classes/java/util/ArrayList.java
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@ package java.util;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import sun.misc.SharedSecrets;

 /**
 * Resizable-array implementation of the <tt>List</tt> interface.  Implements
@@ -219,12 +220,15 @@ public class ArrayList<E> extends AbstractList<E>
        }
    }

-    private void ensureCapacityInternal(int minCapacity) {
+    private static int calculateCapacity(Object[] elementData, int minCapacity) {
        if (elementData == DEFAULTCAPACITY_EMPTY_ELEMENTDATA) {
-            minCapacity = Math.max(DEFAULT_CAPACITY, minCapacity);
+            return Math.max(DEFAULT_CAPACITY, minCapacity);
+        }
+        return minCapacity;
        }

-        ensureExplicitCapacity(minCapacity);
+    private void ensureCapacityInternal(int minCapacity) {
+        ensureExplicitCapacity(calculateCapacity(elementData, minCapacity));
    }

    private void ensureExplicitCapacity(int minCapacity) {
@@ -783,6 +787,8 @@ public class ArrayList<E> extends AbstractList<E>

        if (size > 0) {
            // be like clone(), allocate array based upon size not capacity
+            int capacity = calculateCapacity(elementData, size);
+            SharedSecrets.getJavaOISAccess().checkArray(s, Object[].class, capacity);
            ensureCapacityInternal(size);

            Object[] a = elementData;

--- a/src/share/classes/java/util/HashMap.java
+++ b/src/share/classes/java/util/HashMap.java
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@ import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
 import java.util.function.Function;
+import sun.misc.SharedSecrets;

 /**
 * Hash table based implementation of the <tt>Map</tt> interface.  This
@@ -1392,6 +1393,10 @@ public class HashMap<K,V> extends AbstractMap<K,V>
            float ft = (float)cap * lf;
            threshold = ((cap < MAXIMUM_CAPACITY && ft < MAXIMUM_CAPACITY) ?
                         (int)ft : Integer.MAX_VALUE);
+
+            // Check Map.Entry[].class since it's the nearest public type to
+            // what we're actually creating.
+            SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, cap);
            @SuppressWarnings({"rawtypes","unchecked"})
                Node<K,V>[] tab = (Node<K,V>[])new Node[cap];
            table = tab;

--- a/src/share/classes/java/util/HashSet.java
+++ b/src/share/classes/java/util/HashSet.java
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package java.util;

 import java.io.InvalidObjectException;
+import sun.misc.SharedSecrets;

 /**
 * This class implements the <tt>Set</tt> interface, backed by a hash table
@@ -316,12 +317,19 @@ public class HashSet<E>
            throw new InvalidObjectException("Illegal size: " +
                                             size);
        }
-
        // Set the capacity according to the size and load factor ensuring that
        // the HashMap is at least 25% full but clamping to maximum capacity.
        capacity = (int) Math.min(size * Math.min(1 / loadFactor, 4.0f),
                HashMap.MAXIMUM_CAPACITY);

+        // Constructing the backing map will lazily create an array when the first element is
+        // added, so check it before construction. Call HashMap.tableSizeFor to compute the
+        // actual allocation size. Check Map.Entry[].class since it's the nearest public type to
+        // what is actually created.
+
+        SharedSecrets.getJavaOISAccess()
+                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor(capacity));
+
        // Create backing HashMap
        map = (((HashSet<?>)this) instanceof LinkedHashSet ?
               new LinkedHashMap<E,Object>(capacity, loadFactor) :

--- a/src/share/classes/java/util/Hashtable.java
+++ b/src/share/classes/java/util/Hashtable.java
 /*
- * Copyright (c) 1994, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@ import java.util.concurrent.ThreadLocalRandom;
 import java.util.function.BiConsumer;
 import java.util.function.Function;
 import java.util.function.BiFunction;
+import sun.misc.SharedSecrets;

 /**
 * This class implements a hash table, which maps keys to values. Any
@@ -1192,6 +1193,10 @@ public class Hashtable<K,V>
        if (length > elements && (length & 1) == 0)
            length--;
        length = Math.min(length, origlength);
+
+        // Check Map.Entry[].class since it's the nearest public type to
+        // what we're actually creating.
+        SharedSecrets.getJavaOISAccess().checkArray(s, Map.Entry[].class, length);
        table = new Entry<?,?>[length];
        threshold = (int)Math.min(length * loadFactor, MAX_ARRAY_SIZE + 1);
        count = 0;

--- a/src/share/classes/java/util/IdentityHashMap.java
+++ b/src/share/classes/java/util/IdentityHashMap.java
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.lang.reflect.Array;
 import java.util.function.BiConsumer;
 import java.util.function.BiFunction;
 import java.util.function.Consumer;
+import sun.misc.SharedSecrets;

 /**
 * This class implements the <tt>Map</tt> interface with a hash table, using
@@ -1304,7 +1305,9 @@ public class IdentityHashMap<K,V>
        if (size < 0)
            throw new java.io.StreamCorruptedException
                ("Illegal mappings count: " + size);
-        init(capacity(size));
+        int cap = capacity(size);
+        SharedSecrets.getJavaOISAccess().checkArray(s, Object[].class, cap);
+        init(cap);

        // Read the keys and values, and put the mappings in the table
        for (int i=0; i<size; i++) {

--- a/src/share/classes/java/util/PriorityQueue.java
+++ b/src/share/classes/java/util/PriorityQueue.java
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package java.util;

 import java.util.function.Consumer;
+import sun.misc.SharedSecrets;

 /**
 * An unbounded priority {@linkplain Queue queue} based on a priority heap.
@@ -784,6 +785,7 @@ public class PriorityQueue<E> extends AbstractQueue<E>
        // Read in (and discard) array length
        s.readInt();

+        SharedSecrets.getJavaOISAccess().checkArray(s, Object[].class, size);
        queue = new Object[size];

        // Read in all elements.

--- a/src/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
+++ b/src/share/classes/java/util/concurrent/CopyOnWriteArrayList.java
@@ -50,6 +50,7 @@ import java.util.concurrent.locks.ReentrantLock;
 import java.util.function.Consumer;
 import java.util.function.Predicate;
 import java.util.function.UnaryOperator;
+import sun.misc.SharedSecrets;

 /**
 * A thread-safe variant of {@link java.util.ArrayList} in which all mutative
@@ -989,6 +990,7 @@ public class CopyOnWriteArrayList<E>

        // Read in array length and allocate array
        int len = s.readInt();
+        SharedSecrets.getJavaOISAccess().checkArray(s, Object[].class, len);
        Object[] elements = new Object[len];

        // Read in all elements in the proper order.

--- a/src/share/classes/sun/misc/JavaOISAccess.java
+++ b/src/share/classes/sun/misc/JavaOISAccess.java
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -25,9 +25,12 @@

 package sun.misc;

+import java.io.InvalidClassException;
 import java.io.ObjectInputStream;

 public interface JavaOISAccess {
    void setObjectInputFilter(ObjectInputStream stream, ObjectInputFilter filter);
    ObjectInputFilter getObjectInputFilter(ObjectInputStream stream);
+    void checkArray(ObjectInputStream stream, Class<?> arrayType, int arrayLength)
+        throws InvalidClassException;
 }
--- a/src/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/share/classes/sun/security/tools/keytool/Main.java
@@ -1714,7 +1714,8 @@ public final class Main {
                // hardcode for now as DEF_RSA_KEY_SIZE is still 1024
                keysize = 2048; // SecurityProviderConstants.DEF_RSA_KEY_SIZE;
            } else if ("DSA".equalsIgnoreCase(keyAlgName)) {
-                keysize = SecurityProviderConstants.DEF_DSA_KEY_SIZE;
+                // hardcode for now as DEF_DSA_KEY_SIZE is still 1024
+                keysize = 2048;
            }
        }


--- a/test/java/io/Serializable/serialFilter/SerialFilterTest.java
+++ b/test/java/io/Serializable/serialFilter/SerialFilterTest.java
@@ -35,9 +35,11 @@ import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Proxy;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.atomic.LongAdder;

 import sun.misc.ObjectInputFilter;
@@ -154,6 +156,11 @@ public class SerialFilterTest implements Serializable {
                interfaces, (p, m, args) -> p);

        Runnable runnable = (Runnable & Serializable) SerialFilterTest::noop;
+
+        List<Class<?>> classList = new ArrayList<>();
+        classList.add(HashSet.class);
+        classList.addAll(Collections.nCopies(21, Map.Entry[].class));
+
        Object[][] objects = {
                { null, 0, -1, 0, 0, 0,
                        Arrays.asList()},        // no callback, no values
@@ -173,8 +180,7 @@ public class SerialFilterTest implements Serializable {
                                objArray.getClass(),
                                SerialFilterTest.class,
                                java.lang.invoke.SerializedLambda.class)},
-                { deepHashSet(10), 48, -1, 50, 11, 619,
-                        Arrays.asList(HashSet.class)},
+                { deepHashSet(10), 69, 4, 50, 11, 619, classList },
                { proxy.getClass(), 3, -1, 2, 2, 112,
                        Arrays.asList(Runnable.class,
                                java.lang.reflect.Proxy.class,