Improper handling of objectAnnotation with classDescFlags SC_WRITE_METHOD | SC_SERIALIZABLE #27
Description
Arbitrary data written by a writeObject() method may break parsing when the class description flags are SC_WRITE_METHOD | SC_SERIALIZABLE. The parser treats the objectAnnotation data as if it is also in the Java serialization format, but this may not be the case. A TC_ENDBLOCKDATA is expected to terminate the additional data when the SC_WRITE_METHOD flag is set.
The offending line of code is this, which attempts to read an object (e.g. TC_CLASSDESC, TC_OBJECT, etc) from the objectAnnotation record:
Check if there are cases where the objectAnnotation field is in the Java serialization format (e.g. begins with TC_CLASSDESC or similar) - for example if SC_EXTERNALIZABLE or SC_BLOCKDATA flags are set. Update the code to handle this data accordingly.