Arbitrary data written by a writeObject() method may break parsing when the class description flags are SC_WRITE_METHOD | SC_SERIALIZABLE. The parser treats the objectAnnotation data as if it is also in the Java serialization format, but this may not be the case. A TC_ENDBLOCKDATA is expected to terminate the additional data when the SC_WRITE_METHOD flag is set.
The offending line of code is this, which attempts to read an object (e.g. TC_CLASSDESC, TC_OBJECT, etc) from the objectAnnotation record:
|
this.readContentElement(); |
Check if there are cases where the objectAnnotation field is in the Java serialization format (e.g. begins with TC_CLASSDESC or similar) - for example if SC_EXTERNALIZABLE or SC_BLOCKDATA flags are set. Update the code to handle this data accordingly.
Arbitrary data written by a
writeObject()method may break parsing when the class description flags areSC_WRITE_METHOD | SC_SERIALIZABLE. The parser treats theobjectAnnotationdata as if it is also in the Java serialization format, but this may not be the case. ATC_ENDBLOCKDATAis expected to terminate the additional data when theSC_WRITE_METHODflag is set.The offending line of code is this, which attempts to read an object (e.g.
TC_CLASSDESC,TC_OBJECT, etc) from theobjectAnnotationrecord:SerializationDumper/src/nb/deser/SerializationDumper.java
Line 906 in 6d161cd
Check if there are cases where the
objectAnnotationfield is in the Java serialization format (e.g. begins withTC_CLASSDESCor similar) - for example if SC_EXTERNALIZABLE or SC_BLOCKDATA flags are set. Update the code to handle this data accordingly.