# HG changeset patch # User pchelko # Date 1390379743 -14400 # Node ID 233f9231e202c1d6167d57e2d638d8ac67c711a1 # Parent f9814afe56f3f7093dcee06571726f0fd6dc0813 8030050: Validate fields on DnD class deserialization Reviewed-by: anthony, serb diff -r f9814afe56f3 -r 233f9231e202 jdk/src/share/classes/java/awt/dnd/DragGestureEvent.java --- a/jdk/src/share/classes/java/awt/dnd/DragGestureEvent.java Mon Jan 20 20:11:09 2014 +0400 +++ b/jdk/src/share/classes/java/awt/dnd/DragGestureEvent.java Wed Jan 22 12:35:43 2014 +0400 @@ -36,6 +36,7 @@ import java.awt.datatransfer.Transferable; +import java.io.InvalidObjectException; import java.util.EventObject; import java.util.Collections; @@ -329,22 +330,50 @@ { ObjectInputStream.GetField f = s.readFields(); - dragSource = (DragSource)f.get("dragSource", null); - component = (Component)f.get("component", null); - origin = (Point)f.get("origin", null); - action = f.get("action", 0); + DragSource newDragSource = (DragSource)f.get("dragSource", null); + if (newDragSource == null) { + throw new InvalidObjectException("null DragSource"); + } + dragSource = newDragSource; + + Component newComponent = (Component)f.get("component", null); + if (newComponent == null) { + throw new InvalidObjectException("null component"); + } + component = newComponent; + + Point newOrigin = (Point)f.get("origin", null); + if (newOrigin == null) { + throw new InvalidObjectException("null origin"); + } + origin = newOrigin; + + int newAction = f.get("action", 0); + if (newAction != DnDConstants.ACTION_COPY && + newAction != DnDConstants.ACTION_MOVE && + newAction != DnDConstants.ACTION_LINK) { + throw new InvalidObjectException("bad action"); + } + action = newAction; + // Pre-1.4 support. 'events' was previously non-transient + List newEvents; try { - events = (List)f.get("events", null); + newEvents = (List)f.get("events", null); } catch (IllegalArgumentException e) { // 1.4-compatible byte stream. 'events' was written explicitly - events = (List)s.readObject(); + newEvents = (List)s.readObject(); } // Implementation assumes 'events' is never null. - if (events == null) { - events = Collections.EMPTY_LIST; + if (newEvents != null && newEvents.isEmpty()) { + // Constructor treats empty events list as invalid value + // Throw exception if serialized list is empty + throw new InvalidObjectException("empty list of events"); + } else if (newEvents == null) { + newEvents = Collections.emptyList(); } + events = newEvents; } /* diff -r f9814afe56f3 -r 233f9231e202 jdk/src/share/classes/java/awt/dnd/DragGestureRecognizer.java --- a/jdk/src/share/classes/java/awt/dnd/DragGestureRecognizer.java Mon Jan 20 20:11:09 2014 +0400 +++ b/jdk/src/share/classes/java/awt/dnd/DragGestureRecognizer.java Wed Jan 22 12:35:43 2014 +0400 @@ -29,6 +29,8 @@ import java.awt.Component; import java.awt.Point; +import java.io.InvalidObjectException; +import java.util.Collections; import java.util.TooManyListenersException; import java.util.ArrayList; @@ -411,10 +413,21 @@ * * @since 1.4 */ + @SuppressWarnings("unchecked") private void readObject(ObjectInputStream s) throws ClassNotFoundException, IOException { - s.defaultReadObject(); + ObjectInputStream.GetField f = s.readFields(); + + DragSource newDragSource = (DragSource)f.get("dragSource", null); + if (newDragSource == null) { + throw new InvalidObjectException("null DragSource"); + } + dragSource = newDragSource; + + component = (Component)f.get("component", null); + sourceActions = f.get("sourceActions", 0) & (DnDConstants.ACTION_COPY_OR_MOVE | DnDConstants.ACTION_LINK); + events = (ArrayList)f.get("events", new ArrayList<>(1)); dragGestureListener = (DragGestureListener)s.readObject(); } diff -r f9814afe56f3 -r 233f9231e202 jdk/src/share/classes/java/awt/dnd/DragSourceContext.java --- a/jdk/src/share/classes/java/awt/dnd/DragSourceContext.java Mon Jan 20 20:11:09 2014 +0400 +++ b/jdk/src/share/classes/java/awt/dnd/DragSourceContext.java Wed Jan 22 12:35:43 2014 +0400 @@ -37,6 +37,7 @@ import java.awt.dnd.peer.DragSourceContextPeer; import java.io.IOException; +import java.io.InvalidObjectException; import java.io.ObjectOutputStream; import java.io.ObjectInputStream; import java.io.Serializable; @@ -562,7 +563,36 @@ private void readObject(ObjectInputStream s) throws ClassNotFoundException, IOException { - s.defaultReadObject(); + ObjectInputStream.GetField f = s.readFields(); + + DragGestureEvent newTrigger = (DragGestureEvent)f.get("trigger", null); + if (newTrigger == null) { + throw new InvalidObjectException("Null trigger"); + } + if (newTrigger.getDragSource() == null) { + throw new InvalidObjectException("Null DragSource"); + } + if (newTrigger.getComponent() == null) { + throw new InvalidObjectException("Null trigger component"); + } + + int DGRActions = newTrigger.getSourceAsDragGestureRecognizer().getSourceActions() + & (DnDConstants.ACTION_COPY_OR_MOVE | DnDConstants.ACTION_LINK); + if (DGRActions == DnDConstants.ACTION_NONE) { + throw new InvalidObjectException("Invalid source actions"); + } + int triggerActions = newTrigger.getDragAction(); + if (triggerActions != DnDConstants.ACTION_COPY && + triggerActions != DnDConstants.ACTION_MOVE && + triggerActions != DnDConstants.ACTION_LINK) { + throw new InvalidObjectException("No drag action"); + } + trigger = newTrigger; + + cursor = (Cursor)f.get("cursor", null); + useCustomCursor = f.get("useCustomCursor", false); + sourceActions = f.get("sourceActions", 0) + & (DnDConstants.ACTION_COPY_OR_MOVE | DnDConstants.ACTION_LINK); transferable = (Transferable)s.readObject(); listener = (DragSourceListener)s.readObject(); @@ -630,5 +660,5 @@ * * @serial */ - private final int sourceActions; + private int sourceActions; } diff -r f9814afe56f3 -r 233f9231e202 jdk/test/java/awt/dnd/BadSerializaionTest/BadSerializationTest.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/java/awt/dnd/BadSerializaionTest/BadSerializationTest.java Wed Jan 22 12:35:43 2014 +0400 @@ -0,0 +1,75 @@ +/* + * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @bug 8030050 + * @summary Validate fields on DnD class deserialization + * @author petr.pchelko@oracle.com + */ + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; +import java.util.stream.Stream; + +public class BadSerializationTest { + + private static final String[] badSerialized = new String[] { + "badAction", + "noEvents", + "nullComponent", + "nullDragSource", + "nullOrigin" + }; + + private static final String goodSerialized = "good"; + + public static void main(String[] args) throws Exception { + String testSrc = System.getProperty("test.src") + File.separator; + testReadObject(testSrc + goodSerialized, false); + Stream.of(badSerialized).forEach(file -> testReadObject(testSrc + file, true)); + } + + private static void testReadObject(String filename, boolean expectException) { + Exception exceptionCaught = null; + try (FileInputStream fileInputStream = new FileInputStream(filename); + ObjectInputStream ois = new ObjectInputStream(fileInputStream)) { + ois.readObject(); + } catch (InvalidObjectException e) { + exceptionCaught = e; + } catch (IOException e) { + throw new RuntimeException("FAILED: IOException", e); + } catch (ClassNotFoundException e) { + throw new RuntimeException("FAILED: ClassNotFoundException", e); + } + if (exceptionCaught != null && !expectException) { + throw new RuntimeException("FAILED: UnexpectedException", exceptionCaught); + } + if (exceptionCaught == null && expectException) { + throw new RuntimeException("FAILED: Invalid object was created with no exception"); + } + } +} diff -r f9814afe56f3 -r 233f9231e202 jdk/test/java/awt/dnd/BadSerializaionTest/badAction Binary file jdk/test/java/awt/dnd/BadSerializaionTest/badAction has changed diff -r f9814afe56f3 -r 233f9231e202 jdk/test/java/awt/dnd/BadSerializaionTest/good Binary file jdk/test/java/awt/dnd/BadSerializaionTest/good has changed diff -r f9814afe56f3 -r 233f9231e202 jdk/test/java/awt/dnd/BadSerializaionTest/noEvents Binary file jdk/test/java/awt/dnd/BadSerializaionTest/noEvents has changed diff -r f9814afe56f3 -r 233f9231e202 jdk/test/java/awt/dnd/BadSerializaionTest/nullComponent Binary file jdk/test/java/awt/dnd/BadSerializaionTest/nullComponent has changed diff -r f9814afe56f3 -r 233f9231e202 jdk/test/java/awt/dnd/BadSerializaionTest/nullDragSource Binary file jdk/test/java/awt/dnd/BadSerializaionTest/nullDragSource has changed diff -r f9814afe56f3 -r 233f9231e202 jdk/test/java/awt/dnd/BadSerializaionTest/nullOrigin Binary file jdk/test/java/awt/dnd/BadSerializaionTest/nullOrigin has changed