--- a/src/java.base/share/classes/java/security/CodeSource.java	Wed Jul 05 17:27:46 2017 +0100
+++ b/src/java.base/share/classes/java/security/CodeSource.java	Thu Jul 06 09:20:21 2017 +0800
@@ -35,6 +35,7 @@
 import java.io.IOException;
 import java.security.cert.*;
 import sun.net.util.URLUtil;
+import sun.security.util.IOUtils;
 
 /**
  *
@@ -571,6 +572,8 @@
             // could all be present in the stream at the same time
             cfs = new Hashtable<>(3);
             certList = new ArrayList<>(size > 20 ? 20 : size);
+        } else if (size < 0) {
+            throw new IOException("size cannot be negative");
         }
 
         for (int i = 0; i < size; i++) {
@@ -592,13 +595,7 @@
                 cfs.put(certType, cf);
             }
             // parse the certificate
-            byte[] encoded = null;
-            try {
-                encoded = new byte[ois.readInt()];
-            } catch (OutOfMemoryError oome) {
-                throw new IOException("Certificate too big");
-            }
-            ois.readFully(encoded);
+            byte[] encoded = IOUtils.readNBytes(ois, ois.readInt());
             ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
             try {
                 certList.add(cf.generateCertificate(bais));