RFR 9: JEP 290: Filter Incoming Serialization Data

Roger Riggs roger.riggs at Oracle.com
Wed Aug 31 14:14:38 UTC 2016

Hi Peter,

Since the filter is passed information about each object created, a 
stateful filter can tabulate
the cumulative size itself if that is a concern.

Also, a stateless filter can be constructed to check a combination of 
the total number of objects,
depth, array sizes, and stream size. Since arrays are initialized with 
data from the stream,
the stream size provides a practical limit.


On 8/29/16 10:07 PM, Peter Firmstone wrote:
>    Include original message
> A quick thought on the array size filter:
> The system creates an array with a size read from the stream.
> If Mallory sends a multidimensional array in the stream, then Mallory can consume all jvm memory without exceeding the array size limit or the stream data limit.
> We also need an array combined length limit.
> Thanks,
> Peter.
> Sent from my Samsung device.

More information about the core-libs-dev mailing list