From 7fdb2a9d4dac39b003469061d807602e765fc41d Mon Sep 17 00:00:00 2001 From: cpovirk Date: Tue, 24 Apr 2018 11:05:03 -0700 Subject: [PATCH] Avoid presizing arrays. RELNOTES=Fixed Denial of Service vulnerability for servers that use Guava and deserialize attacker data: [CVE-2018-10237](https://github.com/google/guava/wiki/CVE-2018-10237). ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=194113840 --- .../google/common/util/concurrent/AtomicDoubleArray.java | 9 ++++----- .../collect/CompoundOrdering_CustomFieldSerializer.java | 2 +- .../google/common/util/concurrent/AtomicDoubleArray.java | 9 ++++----- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/android/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java b/android/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java index e066448..a364502 100644 --- a/android/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java +++ b/android/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java @@ -17,6 +17,7 @@ import static java.lang.Double.doubleToRawLongBits; import static java.lang.Double.longBitsToDouble; import com.google.common.annotations.GwtIncompatible; +import com.google.common.primitives.ImmutableLongArray; import com.google.errorprone.annotations.CanIgnoreReturnValue; import java.util.concurrent.atomic.AtomicLongArray; @@ -247,13 +248,11 @@ public class AtomicDoubleArray implements java.io.Serializable { throws java.io.IOException, ClassNotFoundException { s.defaultReadObject(); - // Read in array length and allocate array int length = s.readInt(); - this.longs = new AtomicLongArray(length); - - // Read in all elements in the proper order. + ImmutableLongArray.Builder builder = ImmutableLongArray.builder(); for (int i = 0; i < length; i++) { - set(i, s.readDouble()); + builder.add(doubleToRawLongBits(s.readDouble())); } + this.longs = new AtomicLongArray(builder.build().toArray()); } } diff --git a/guava-gwt/src/com/google/common/collect/CompoundOrdering_CustomFieldSerializer.java b/guava-gwt/src/com/google/common/collect/CompoundOrdering_CustomFieldSerializer.java index 33b60f2..527c265 100644 --- a/guava-gwt/src/com/google/common/collect/CompoundOrdering_CustomFieldSerializer.java +++ b/guava-gwt/src/com/google/common/collect/CompoundOrdering_CustomFieldSerializer.java @@ -36,7 +36,7 @@ public class CompoundOrdering_CustomFieldSerializer { public static CompoundOrdering instantiate(SerializationStreamReader reader) throws SerializationException { int n = reader.readInt(); - List> comparators = new ArrayList<>(n); + List> comparators = new ArrayList<>(); for (int i = 0; i < n; i++) { comparators.add((Comparator) reader.readObject()); } diff --git a/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java b/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java index e066448..a364502 100644 --- a/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java +++ b/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java @@ -17,6 +17,7 @@ import static java.lang.Double.doubleToRawLongBits; import static java.lang.Double.longBitsToDouble; import com.google.common.annotations.GwtIncompatible; +import com.google.common.primitives.ImmutableLongArray; import com.google.errorprone.annotations.CanIgnoreReturnValue; import java.util.concurrent.atomic.AtomicLongArray; @@ -247,13 +248,11 @@ public class AtomicDoubleArray implements java.io.Serializable { throws java.io.IOException, ClassNotFoundException { s.defaultReadObject(); - // Read in array length and allocate array int length = s.readInt(); - this.longs = new AtomicLongArray(length); - - // Read in all elements in the proper order. + ImmutableLongArray.Builder builder = ImmutableLongArray.builder(); for (int i = 0; i < length; i++) { - set(i, s.readDouble()); + builder.add(doubleToRawLongBits(s.readDouble())); } + this.longs = new AtomicLongArray(builder.build().toArray()); } } -- 2.17.0