src/share/classes/java/security/CodeSource.java

rev 12546 : 8181432: Better processing of unresolved permissions
Reviewed-by: mullan

@@ -32,10 +32,11 @@
 import java.util.List;
 import java.util.Hashtable;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.cert.*;
+import sun.misc.IOUtils;
 
 /**
  *
  * <p>This class extends the concept of a codebase to
  * encapsulate not only the location (URL) but also the certificate chains

@@ -544,10 +545,12 @@
         if (size > 0) {
             // we know of 3 different cert types: X.509, PGP, SDSI, which
             // could all be present in the stream at the same time
             cfs = new Hashtable<String, CertificateFactory>(3);
             certList = new ArrayList<>(size > 20 ? 20 : size);
+        } else if (size < 0) {
+            throw new IOException("size cannot be negative");
         }
 
         for (int i = 0; i < size; i++) {
             // read the certificate type, and instantiate a certificate
             // factory of that type (reuse existing factory if possible)

@@ -565,17 +568,11 @@
                 }
                 // store the certificate factory so we can reuse it later
                 cfs.put(certType, cf);
             }
             // parse the certificate
-            byte[] encoded = null;
-            try {
-                encoded = new byte[ois.readInt()];
-            } catch (OutOfMemoryError oome) {
-                throw new IOException("Certificate too big");
-            }
-            ois.readFully(encoded);
+            byte[] encoded = IOUtils.readNBytes(ois, ois.readInt());
             ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
             try {
                 certList.add(cf.generateCertificate(bais));
             } catch (CertificateException ce) {
                 throw new IOException(ce.getMessage());