6686215: Some mutables not defensively copied when deserializing java.security.CodeSource & Timestamp objects

Reviewed-by: mullan

jdk/src/share/classes/java/security/CodeSource.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -578,7 +578,7 @@ public class CodeSource implements java.io.Serializable {
 
         // Deserialize array of code signers (if any)
         try {
-            this.signers = (CodeSigner[])ois.readObject();
+            this.signers = ((CodeSigner[])ois.readObject()).clone();
         } catch (IOException ioe) {
             // no signers present
         }

jdk/src/share/classes/java/security/Timestamp.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -157,7 +157,8 @@ public final class Timestamp implements Serializable {
     // Explicitly reset hash code value to -1
     private void readObject(ObjectInputStream ois)
         throws IOException, ClassNotFoundException {
-     ois.defaultReadObject();
-     myhash = -1;
+        ois.defaultReadObject();
+        myhash = -1;
+        timestamp = new Date(timestamp.getTime());
     }
 }