CLJ-2916 LazySeq - realize before serializing and do not serialize IFn

puredanger · puredanger · commit 25e8f4eba2a1 · 2025-08-25T14:09:34.000-05:00
diff --git a/src/jvm/clojure/lang/LazySeq.java b/src/jvm/clojure/lang/LazySeq.java
@@ -20,9 +20,9 @@
 
 public final class LazySeq extends Obj implements ISeq, Sequential, List, IPending, IHashEq{
 
-private static final long serialVersionUID = -7345643944998411680L;
+private static final long serialVersionUID = -7531333024710395876L;
 
-private IFn fn;
+private transient IFn fn;
 private Object sv;
 private ISeq s;
 private Lock lock;
@@ -300,5 +300,15 @@ public boolean isRealized(){
 	}
 	return true;
 }
+
+// custom Serializable implementation - ensure seq is fully-realized before writing
+private void writeObject(java.io.ObjectOutputStream out) throws IOException {
+	ISeq s = this;
+	while(s != null) {
+		s = s.next();
+	}
+	out.defaultWriteObject();
+}
+
 }
 
diff --git a/test/clojure/test_clojure/serialization.clj b/test/clojure/test_clojure/serialization.clj
@@ -92,6 +92,7 @@
     ; lazy seqs
     (lazy-seq nil)
     (lazy-seq (list* (range 50)))
+    (iterator-seq (.iterator (range 50)))
 
     ; transient / persistent! round-trip
     (build-via-transient [])
@@ -182,8 +183,7 @@
     (agent nil)
 
     ;; stateful seqs
-    (enumeration-seq (java.util.Collections/enumeration (range 50)))
-    (iterator-seq (.iterator (range 50)))))
+    (enumeration-seq (java.util.Collections/enumeration (range 50)))))
 
 ;; necessary for CVE-2024-22871
 (deftest CLJ-2839
