From c3f5f3204bcc8d62a56ff214e904876b7e7a206f Mon Sep 17 00:00:00 2001
From: Arthur Chan <arthur.chan@adalogics.com>
Date: Thu, 7 Dec 2023 13:44:58 +0000
Subject: [PATCH] LANG-1722: Rethrow NegativeArraySizeException as
 SerializationException in SerilizationUtils.deserialize(InputStream) (#1141)

* LANG-1722: Catch NegativeArraySizeException

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>

* Fix unit test formatting

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>

---------

Signed-off-by: Arthur Chan <arthur.chan@adalogics.com>
---
 .../org/apache/commons/lang3/SerializationUtils.java     | 2 +-
 .../org/apache/commons/lang3/SerializationUtilsTest.java | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/commons/lang3/SerializationUtils.java b/src/main/java/org/apache/commons/lang3/SerializationUtils.java
index b608b7dca..7ab6a1124 100644
--- a/src/main/java/org/apache/commons/lang3/SerializationUtils.java
+++ b/src/main/java/org/apache/commons/lang3/SerializationUtils.java
@@ -207,7 +207,7 @@ public class SerializationUtils {
             @SuppressWarnings("unchecked")
             final T obj = (T) in.readObject();
             return obj;
-        } catch (final ClassNotFoundException | IOException ex) {
+        } catch (final ClassNotFoundException | IOException | NegativeArraySizeException ex) {
             throw new SerializationException(ex);
         }
     }
diff --git a/src/test/java/org/apache/commons/lang3/SerializationUtilsTest.java b/src/test/java/org/apache/commons/lang3/SerializationUtilsTest.java
index 9e3ed25de..9c9efaad0 100644
--- a/src/test/java/org/apache/commons/lang3/SerializationUtilsTest.java
+++ b/src/test/java/org/apache/commons/lang3/SerializationUtilsTest.java
@@ -360,4 +360,13 @@ public class SerializationUtilsTest extends AbstractLangTest {
         assertThrows(SerializationException.class, () -> SerializationUtils.serialize(iMap, streamTest));
     }
 
+    @Test
+    public void testNegativeByteArray() throws IOException {
+        final byte[] byteArray = {
+            (byte) -84, (byte) -19, (byte) 0, (byte) 5, (byte) 125, (byte) -19, (byte) 0,
+            (byte) 5, (byte) 115, (byte) 114, (byte) -1, (byte) 97, (byte) 122, (byte) -48, (byte) -65
+        };
+
+        assertThrows(SerializationException.class, () -> SerializationUtils.deserialize(new ByteArrayInputStream(byteArray)));
+    }
 }