On 10/10/2017 10:50, Kazunori Ogata wrote:
Hi Alan,
Thank you for your comment.
I agree that the current code is not thread safe, but I think OIS itself
is not thread safe either. The issue you pointed out occurs when two
threads calls readObject()/readUnshared() simultaneously, and the result
of such situation is undefined in any way in my understanding. Do we need
to ensure the same behavior for such an error case?
OIS is very interesting to attackers so you will need to take deliberate
abuses of the API into account. I realize it's a pain but it's one of
the reasons why we have to be cautious about optimizations in this area.
-Alan
