src/share/classes/java/io/ObjectInputStream.java

rev 668 : 8001322: Refactor deserialization
Reviewed-by: mchung, skoivu, smarks, omajid

*** 39,48 ****
--- 39,49 ----
  import java.util.HashMap;
  import java.util.concurrent.ConcurrentHashMap;
  import java.util.concurrent.ConcurrentMap;
  import java.util.concurrent.atomic.AtomicBoolean;
  import static java.io.ObjectStreamClass.processQueue;
+ import sun.reflect.misc.ReflectUtil;
  
  /**
   * An ObjectInputStream deserializes primitive data and objects previously
   * written using an ObjectOutputStream.
   *
*** 1516,1525 ****
--- 1517,1532 ----
                  throw new StreamCorruptedException(
                      String.format("invalid type code: %02X", tc));
          }
      }
  
+     private boolean isCustomSubclass() {
+         // Return true if this class is a custom subclass of ObjectInputStream
+         return getClass().getClassLoader()
+                     != ObjectInputStream.class.getClassLoader();
+     }
+ 
      /**
       * Reads in and returns class descriptor for a dynamic proxy class.  Sets
       * passHandle to proxy class descriptor's assigned handle.  If proxy class
       * descriptor cannot be resolved to a class in the local VM, a
       * ClassNotFoundException is associated with the descriptor's handle.
*** 1545,1554 ****
--- 1552,1570 ----
          ClassNotFoundException resolveEx = null;
          bin.setBlockDataMode(true);
          try {
              if ((cl = resolveProxyClass(ifaces)) == null) {
                  resolveEx = new ClassNotFoundException("null class");
+             } else if (!Proxy.isProxyClass(cl)) {
+                 throw new InvalidClassException("Not a proxy");
+             } else {
+                 // ReflectUtil.checkProxyPackageAccess makes a test
+                 // equivalent to isCustomSubclass so there's no need
+                 // to condition this call to isCustomSubclass == true here.
+                 ReflectUtil.checkProxyPackageAccess(
+                         getClass().getClassLoader(),
+                         cl.getInterfaces());
              }
          } catch (ClassNotFoundException ex) {
              resolveEx = ex;
          }
          skipCustomData();
*** 1586,1598 ****
--- 1602,1617 ----
          }
  
          Class cl = null;
          ClassNotFoundException resolveEx = null;
          bin.setBlockDataMode(true);
+         final boolean checksRequired = isCustomSubclass();
          try {
              if ((cl = resolveClass(readDesc)) == null) {
                  resolveEx = new ClassNotFoundException("null class");
+             } else if (checksRequired) {
+                 ReflectUtil.checkPackageAccess(cl);
              }
          } catch (ClassNotFoundException ex) {
              resolveEx = ex;
          }
          skipCustomData();