8331446: Improve deserialization support

Alexei Voitylov · RealCLanger · commit 5010e3f09b1c · 2024-10-05T14:36:42.000+02:00
Reviewed-by: yan, mbalao, andrew
Backport-of: 8e4a392832f83e16d521024505b52c96d0a993f2
diff --git a/src/java.base/share/classes/java/text/MessageFormat.java b/src/java.base/share/classes/java/text/MessageFormat.java
@@ -41,6 +41,7 @@
 import java.io.InvalidObjectException;
 import java.io.IOException;
 import java.io.ObjectInputStream;
+import java.io.ObjectStreamException;
 import java.text.DecimalFormat;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -983,6 +984,8 @@ public Object[] parse(String source, ParsePosition pos) {
                 maximumArgumentNumber = argumentNumbers[i];
             }
         }
+
+        // Constructors/applyPattern ensure that resultArray.length < MAX_ARGUMENT_INDEX
         Object[] resultArray = new Object[maximumArgumentNumber + 1];
 
         int patternOffset = 0;
@@ -1235,6 +1238,9 @@ protected Object readResolve() throws InvalidObjectException {
      * @serial
      */
     private int[] argumentNumbers = new int[INITIAL_FORMATS];
+    // Implementation limit for ArgumentIndex pattern element. Valid indices must
+    // be less than this value
+    private static final int MAX_ARGUMENT_INDEX = 10000;
 
     /**
      * One less than the number of entries in {@code offsets}.  Can also be thought of
@@ -1459,6 +1465,11 @@ private void makeFormat(int position, int offsetNumber,
                                                + argumentNumber);
         }
 
+        if (argumentNumber >= MAX_ARGUMENT_INDEX) {
+            throw new IllegalArgumentException(
+                    argumentNumber + " exceeds the ArgumentIndex implementation limit");
+        }
+
         // resize format information arrays if necessary
         if (offsetNumber >= formats.length) {
             int newLength = formats.length * 2;
@@ -1606,24 +1617,53 @@ private static final void copyAndFixQuotes(String source, int start, int end,
      */
     @java.io.Serial
     private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
-        in.defaultReadObject();
-        boolean isValid = maxOffset >= -1
-                && formats.length > maxOffset
-                && offsets.length > maxOffset
-                && argumentNumbers.length > maxOffset;
+        ObjectInputStream.GetField fields = in.readFields();
+        if (fields.defaulted("argumentNumbers") || fields.defaulted("offsets")
+                || fields.defaulted("formats") || fields.defaulted("locale")
+                || fields.defaulted("pattern") || fields.defaulted("maxOffset")){
+            throw new InvalidObjectException("Stream has missing data");
+        }
+
+        locale = (Locale) fields.get("locale", null);
+        String patt = (String) fields.get("pattern", null);
+        int maxOff = fields.get("maxOffset", -2);
+        int[] argNums = ((int[]) fields.get("argumentNumbers", null)).clone();
+        int[] offs = ((int[]) fields.get("offsets", null)).clone();
+        Format[] fmts = ((Format[]) fields.get("formats", null)).clone();
+
+        // Check arrays/maxOffset have correct value/length
+        boolean isValid = maxOff >= -1 && argNums.length > maxOff
+                && offs.length > maxOff && fmts.length > maxOff;
+
+        // Check the correctness of arguments and offsets
         if (isValid) {
-            int lastOffset = pattern.length() + 1;
-            for (int i = maxOffset; i >= 0; --i) {
-                if ((offsets[i] < 0) || (offsets[i] > lastOffset)) {
+            int lastOffset = patt.length() + 1;
+            for (int i = maxOff; i >= 0; --i) {
+                if (argNums[i] < 0 || argNums[i] >= MAX_ARGUMENT_INDEX
+                        || offs[i] < 0 || offs[i] > lastOffset) {
                     isValid = false;
                     break;
                 } else {
-                    lastOffset = offsets[i];
+                    lastOffset = offs[i];
                 }
             }
         }
+
         if (!isValid) {
-            throw new InvalidObjectException("Could not reconstruct MessageFormat from corrupt stream.");
+            throw new InvalidObjectException("Stream has invalid data");
         }
+        maxOffset = maxOff;
+        pattern = patt;
+        offsets = offs;
+        formats = fmts;
+        argumentNumbers = argNums;
+    }
+
+    /**
+     * Serialization without data not supported for this class.
+     */
+    @java.io.Serial
+    private void readObjectNoData() throws ObjectStreamException {
+        throw new InvalidObjectException("Deserialized MessageFormat objects need data");
     }
 }
diff --git a/test/jdk/java/text/Format/MessageFormat/MaxArgumentIndexTest.java b/test/jdk/java/text/Format/MessageFormat/MaxArgumentIndexTest.java
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8331446
+ * @summary Enforce the MAX_ARGUMENT_INDEX(10,000) implementation limit for the
+ *          ArgumentIndex element in the MessageFormat pattern syntax. This
+ *          should be checked during construction/applyPattern/readObject and should effectively
+ *          prevent parse/format from being invoked with values over the limit.
+ * @run junit MaxArgumentIndexTest
+ */
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import java.text.MessageFormat;
+import java.util.Locale;
+import java.util.stream.Stream;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+public class MaxArgumentIndexTest {
+
+    // A MessageFormat pattern that contains an ArgumentIndex value
+    // which violates this implementation's limit: MAX_ARGUMENT_INDEX(10,000)
+    // As this check is exclusive, 10,000 will violate the limit
+    private static final String VIOLATES_MAX_ARGUMENT_INDEX = "{10000}";
+
+    // Check String constructor enforces the limit
+    @Test
+    public void constructorTest() {
+        assertThrows(IllegalArgumentException.class,
+                () -> new MessageFormat(VIOLATES_MAX_ARGUMENT_INDEX));
+    }
+
+    // Check String, Locale constructor enforces the limit
+    @ParameterizedTest
+    @MethodSource
+    public void constructorWithLocaleTest(Locale locale) {
+        assertThrows(IllegalArgumentException.class,
+                () -> new MessageFormat(VIOLATES_MAX_ARGUMENT_INDEX, locale));
+    }
+
+    // Provide some basic common locale values
+    private static Stream<Locale> constructorWithLocaleTest() {
+        return Stream.of(null, Locale.US, Locale.ROOT);
+    }
+
+    // Edge case: Test a locale dependent subformat (with null locale) with a
+    // violating ArgumentIndex. In this instance, the violating ArgumentIndex
+    // will be caught and IAE thrown instead of the NPE
+    @Test
+    public void localeDependentSubFormatTest() {
+        assertThrows(IllegalArgumentException.class,
+                () -> new MessageFormat("{10000,number,short}", null));
+        // For reference
+        assertThrows(NullPointerException.class,
+                () -> new MessageFormat("{999,number,short}", null));
+    }
+
+    // Check that the static format method enforces the limit
+    @Test
+    public void staticFormatTest() {
+        assertThrows(IllegalArgumentException.class,
+                () -> MessageFormat.format(VIOLATES_MAX_ARGUMENT_INDEX, new Object[]{1}));
+    }
+
+    // Check that applyPattern(String) enforces the limit
+    @Test
+    public void applyPatternTest() {
+        MessageFormat mf = new MessageFormat("");
+        assertThrows(IllegalArgumentException.class,
+                () -> mf.applyPattern(VIOLATES_MAX_ARGUMENT_INDEX));
+    }
+}
diff --git a/test/jdk/java/text/Format/MessageFormat/SerializationTest.java b/test/jdk/java/text/Format/MessageFormat/SerializationTest.java
@@ -0,0 +1,96 @@
+/*
+ * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8331446
+ * @summary Check correctness of deserialization
+ * @run junit SerializationTest
+ */
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.text.MessageFormat;
+import java.util.Locale;
+import java.util.stream.Stream;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+public class SerializationTest {
+
+    // Ensure basic correctness of serialization round trip
+    @ParameterizedTest
+    @MethodSource
+    public void serializationRoundTrip(MessageFormat expectedMf)
+            throws IOException, ClassNotFoundException {
+        byte[] bytes = ser(expectedMf);
+        MessageFormat actualMf = (MessageFormat) deSer(bytes);
+        assertEquals(expectedMf, actualMf);
+    }
+
+    // Various valid MessageFormats
+    private static Stream<MessageFormat> serializationRoundTrip() {
+        return Stream.of(
+                // basic pattern
+                new MessageFormat("{0} foo"),
+                // Multiple arguments
+                new MessageFormat("{0} {1} foo"),
+                // duplicate arguments
+                new MessageFormat("{0} {0} {1} foo"),
+                // Non-ascending arguments
+                new MessageFormat("{1} {0} foo"),
+                // With locale
+                new MessageFormat("{1} {0} foo", Locale.UK),
+                // With null locale. (NPE not thrown, if no format defined)
+                new MessageFormat("{1} {0} foo", null),
+                // With formats
+                new MessageFormat("{0,number,short} {0} {1,date,long} foo")
+        );
+    }
+
+    // Utility method to serialize
+    private static byte[] ser(Object obj) throws IOException {
+        ByteArrayOutputStream byteArrayOutputStream = new
+                ByteArrayOutputStream();
+        ObjectOutputStream oos = new
+                ObjectOutputStream(byteArrayOutputStream);
+        oos.writeObject(obj);
+        return byteArrayOutputStream.toByteArray();
+    }
+
+    // Utility method to deserialize
+    private static Object deSer(byte[] bytes) throws
+            IOException, ClassNotFoundException {
+        ByteArrayInputStream byteArrayInputStream = new
+                ByteArrayInputStream(bytes);
+        ObjectInputStream ois = new
+                ObjectInputStream(byteArrayInputStream);
+        return ois.readObject();
+    }
+}
