java/openjdk6/files/icedtea/security/20130201/7201070.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# HG changeset patch
# User coffeys
# Date 1355322673 0
# Node ID 042882b32f75d0e736c19f93688d37fb98d7d26d
# Parent  708c134c36312faf8721c0c981be6553e4ebf49f
7201070: Serialization to conform to protocol
Reviewed-by: smarks, skoivu

diff --git a/src/share/classes/java/io/ObjectInputStream.java b/src/share/classes/java/io/ObjectInputStream.java
--- jdk/src/share/classes/java/io/ObjectInputStream.java
+++ jdk/src/share/classes/java/io/ObjectInputStream.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1749,6 +1749,12 @@ public class ObjectInputStream
         ObjectStreamClass desc = readClassDesc(false);
         desc.checkDeserialize();
 
+        Class<?> cl = desc.forClass();
+        if (cl == String.class || cl == Class.class
+                || cl == ObjectStreamClass.class) {
+            throw new InvalidClassException("invalid class descriptor");
+        }
+
         Object obj;
         try {
             obj = desc.isInstantiable() ? desc.newInstance() : null;