This is an automated email from the ASF dual-hosted git repository.
rainyu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-spi-extensions.git
The following commit(s) were added to refs/heads/master by this push:
new 705910bd check the available length. (#669)
705910bd is described below
commit 705910bd9bdd9e8f42c436c2a5d1927d5f7a2876
Author: Rain Yu <[email protected]>
AuthorDate: Wed Nov 19 21:13:17 2025 +0800
check the available length. (#669)
---
.../protostuff/ProtostuffObjectInput.java | 2 +-
.../protostuff/ProtostuffSerializationTest.java | 42 ++++++++++++++++++++++
2 files changed, 43 insertions(+), 1 deletion(-)
diff --git
a/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/main/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffObjectInput.java
b/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/main/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffObjectInput.java
index b5ab36f4..79f4c39b 100644
---
a/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/main/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffObjectInput.java
+++
b/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/main/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffObjectInput.java
@@ -46,7 +46,7 @@ public class ProtostuffObjectInput implements ObjectInput {
int classNameLength = dis.readInt();
int bytesLength = dis.readInt();
- if (classNameLength < 0 || bytesLength < 0) {
+ if (classNameLength < 0 || bytesLength < 0 || classNameLength >
dis.available() || bytesLength > dis.available()) {
throw new IOException();
}
diff --git
a/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/test/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffSerializationTest.java
b/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/test/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffSerializationTest.java
index 07021f98..9909eb09 100644
---
a/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/test/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffSerializationTest.java
+++
b/dubbo-serialization-extensions/dubbo-serialization-protostuff/src/test/java/org/apache/dubbo/common/serialize/protostuff/ProtostuffSerializationTest.java
@@ -18,10 +18,52 @@
package org.apache.dubbo.common.serialize.protostuff;
import org.apache.dubbo.common.serialize.base.AbstractSerializationTest;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Arrays;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
public class ProtostuffSerializationTest extends AbstractSerializationTest {
{
serialization = new ProtostuffSerialization();
}
+ @Test
+ public void testReadFakeObject() throws IOException,
ClassNotFoundException {
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ ProtostuffObjectOutput output = new ProtostuffObjectOutput(bos);
+ int fakeLength = 1024*1000*2000;
+ output.writeInt(fakeLength);
+ output.writeInt(fakeLength);
+ output.flushBuffer();
+ ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
+ ProtostuffObjectInput inputProtostuff = new ProtostuffObjectInput(bis);
+ try {
+ inputProtostuff.readObject();
+ } catch (Exception e) {
+ assertTrue(e instanceof IOException);
+ return;
+ }
+ Assertions.fail("notHere");
+ }
+
+ @Test
+ public void testReadRealObjectOut() throws IOException,
ClassNotFoundException {
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ ProtostuffObjectOutput output = new ProtostuffObjectOutput(bos);
+ int objLength = 1000*2000;
+ byte[] arr = new byte[objLength];
+ output.writeObject(arr);
+ output.flushBuffer();
+ ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
+ ProtostuffObjectInput inputProtostuff = new ProtostuffObjectInput(bis);
+ Object o = inputProtostuff.readObject();
+ Assertions.assertEquals(Arrays.hashCode(arr), Arrays.hashCode((byte
[]) o));
+
+ }
}
