Avoid presizing arrays.

cpovirk · cpovirk · commit 7ec8718f1e6e · 2018-04-25T22:15:42.000-04:00
RELNOTES=Fixed Denial of Service vulnerability for servers that use Guava and deserialize attacker data: [CVE-2018-10237](https://github.com/google/guava/wiki/CVE-2018-10237). ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=194113840
diff --git a/android/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java b/android/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java
@@ -17,6 +17,7 @@
 import static java.lang.Double.longBitsToDouble;
 
 import com.google.common.annotations.GwtIncompatible;
+import com.google.common.primitives.ImmutableLongArray;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.util.concurrent.atomic.AtomicLongArray;
 
@@ -247,13 +248,11 @@ private void readObject(java.io.ObjectInputStream s)
       throws java.io.IOException, ClassNotFoundException {
     s.defaultReadObject();
 
-    // Read in array length and allocate array
     int length = s.readInt();
-    this.longs = new AtomicLongArray(length);
-
-    // Read in all elements in the proper order.
+    ImmutableLongArray.Builder builder = ImmutableLongArray.builder();
     for (int i = 0; i < length; i++) {
-      set(i, s.readDouble());
+      builder.add(doubleToRawLongBits(s.readDouble()));
     }
+    this.longs = new AtomicLongArray(builder.build().toArray());
   }
 }
diff --git a/guava-gwt/src/com/google/common/collect/CompoundOrdering_CustomFieldSerializer.java b/guava-gwt/src/com/google/common/collect/CompoundOrdering_CustomFieldSerializer.java
@@ -36,7 +36,7 @@ public static void deserialize(SerializationStreamReader reader, CompoundOrderin
   public static CompoundOrdering<Object> instantiate(SerializationStreamReader reader)
       throws SerializationException {
     int n = reader.readInt();
-    List<Comparator<Object>> comparators = new ArrayList<>(n);
+    List<Comparator<Object>> comparators = new ArrayList<>();
     for (int i = 0; i < n; i++) {
       comparators.add((Comparator<Object>) reader.readObject());
     }
diff --git a/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java b/guava/src/com/google/common/util/concurrent/AtomicDoubleArray.java
@@ -17,6 +17,7 @@
 import static java.lang.Double.longBitsToDouble;
 
 import com.google.common.annotations.GwtIncompatible;
+import com.google.common.primitives.ImmutableLongArray;
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.util.concurrent.atomic.AtomicLongArray;
 
@@ -247,13 +248,11 @@ private void readObject(java.io.ObjectInputStream s)
       throws java.io.IOException, ClassNotFoundException {
     s.defaultReadObject();
 
-    // Read in array length and allocate array
     int length = s.readInt();
-    this.longs = new AtomicLongArray(length);
-
-    // Read in all elements in the proper order.
+    ImmutableLongArray.Builder builder = ImmutableLongArray.builder();
     for (int i = 0; i < length; i++) {
-      set(i, s.readDouble());
+      builder.add(doubleToRawLongBits(s.readDouble()));
     }
+    this.longs = new AtomicLongArray(builder.build().toArray());
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public static void deserialize(SerializationStreamReader reader, CompoundOrderin`
`36`	`36`	`public static CompoundOrdering<Object> instantiate(SerializationStreamReader reader)`
`37`	`37`	`throws SerializationException {`
`38`	`38`	`int n = reader.readInt();`
`39`		`- List<Comparator<Object>> comparators = new ArrayList<>(n);`
	`39`	`+ List<Comparator<Object>> comparators = new ArrayList<>();`
`40`	`40`	`for (int i = 0; i < n; i++) {`
`41`	`41`	`comparators.add((Comparator<Object>) reader.readObject());`
`42`	`42`	`}`