src/share/classes/sun/rmi/registry/RegistryImpl.java

*** 101,111 ****
  
      /** Registry max depth of remote invocations. **/
      private static final int REGISTRY_MAX_DEPTH = 20;
  
      /** Registry maximum array size in remote invocations. **/
!     private static final int REGISTRY_MAX_ARRAY_SIZE = 10000;
  
      /**
       * The registryFilter created from the value of the {@code "sun.rmi.registry.registryFilter"}
       * property.
       */
--- 101,111 ----
  
      /** Registry max depth of remote invocations. **/
      private static final int REGISTRY_MAX_DEPTH = 20;
  
      /** Registry maximum array size in remote invocations. **/
!     private static final int REGISTRY_MAX_ARRAY_SIZE = 1_000_000;
  
      /**
       * The registryFilter created from the value of the {@code "sun.rmi.registry.registryFilter"}
       * property.
       */
*** 121,131 ****
          String props = System.getProperty(REGISTRY_FILTER_PROPNAME);
          if (props == null) {
              props = Security.getProperty(REGISTRY_FILTER_PROPNAME);
          }
          if (props != null) {
!             filter = ObjectInputFilter.Config.createFilter(props);
              Log regLog = Log.getLog("sun.rmi.registry", "registry", -1);
              if (regLog.isLoggable(Log.BRIEF)) {
                  regLog.log(Log.BRIEF, "registryFilter = " + filter);
              }
          }
--- 121,131 ----
          String props = System.getProperty(REGISTRY_FILTER_PROPNAME);
          if (props == null) {
              props = Security.getProperty(REGISTRY_FILTER_PROPNAME);
          }
          if (props != null) {
!             filter = ObjectInputFilter.Config.createFilter2(props);
              Log regLog = Log.getLog("sun.rmi.registry", "registry", -1);
              if (regLog.isLoggable(Log.BRIEF)) {
                  regLog.log(Log.BRIEF, "registryFilter = " + filter);
              }
          }
*** 417,437 ****
              return ObjectInputFilter.Status.REJECTED;
          }
          Class<?> clazz = filterInfo.serialClass();
          if (clazz != null) {
              if (clazz.isArray()) {
!                 if (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > REGISTRY_MAX_ARRAY_SIZE) {
!                     return ObjectInputFilter.Status.REJECTED;
!                 }
!                 do {
!                     // Arrays are allowed depending on the component type
!                     clazz = clazz.getComponentType();
!                 } while (clazz.isArray());
!             }
!             if (clazz.isPrimitive()) {
!                 // Arrays of primitives are allowed
!                 return ObjectInputFilter.Status.ALLOWED;
              }
              if (String.class == clazz
                      || java.lang.Number.class.isAssignableFrom(clazz)
                      || Remote.class.isAssignableFrom(clazz)
                      || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)
--- 417,430 ----
              return ObjectInputFilter.Status.REJECTED;
          }
          Class<?> clazz = filterInfo.serialClass();
          if (clazz != null) {
              if (clazz.isArray()) {
!                 // Arrays are REJECTED only if they exceed the limit
!                 return (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > REGISTRY_MAX_ARRAY_SIZE)
!                     ? ObjectInputFilter.Status.REJECTED
!                     : ObjectInputFilter.Status.UNDECIDED;
              }
              if (String.class == clazz
                      || java.lang.Number.class.isAssignableFrom(clazz)
                      || Remote.class.isAssignableFrom(clazz)
                      || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)