On Fri, Jan 22, 2016 at 10:03 AM, Stuart Marks <stuart.ma...@oracle.com> wrote: > On readObject(), ok, you went ahead and rearranged some stuff. You hit a > couple of the issues I had spotted, namely the multiple assignment to > elementData and the potentially confusing reuse of the name 'elementData'. > > The other issue was if size is less than zero. This could only occur with a > corrupted or tampered serialized data stream. The old code would > "successfully" deserialize a dysfunctional ArrayList instance, whereas the > modified code will throw NegativeArraySizeException from readObject(). > > I don't know if that was intentional, but I prefer the new behavior! > > Strictly speaking I think throwing InvalidObjectException would preferable, > but if you want to push what you have, I'm ok with it.
I went "by the book" as you suggested and now throw InvalidObjectException when size < 0. (But I've been saying for a decade: if we're serious about Serialization, it needs to be someone's full time job) I'll commit tomorrow if I don't hear otherwise.
