From 1dc9c053c4503fbeeff7a6853c6bd598a6feb46a Mon Sep 17 00:00:00 2001
From: Vinnie Ryan <vinnie@openjdk.org>
Date: Mon, 14 Mar 2011 17:50:52 +0000
Subject: [PATCH] 6686215: Some mutables not defensively copied when
 deserializing java.security.CodeSource & Timestamp objects

Reviewed-by: mullan
---
 jdk/src/share/classes/java/security/CodeSource.java | 4 ++--
 jdk/src/share/classes/java/security/Timestamp.java  | 7 ++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/jdk/src/share/classes/java/security/CodeSource.java b/jdk/src/share/classes/java/security/CodeSource.java
index 5ec8cebc028..b821a4ec9c1 100644
--- a/jdk/src/share/classes/java/security/CodeSource.java
+++ b/jdk/src/share/classes/java/security/CodeSource.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -578,7 +578,7 @@ public class CodeSource implements java.io.Serializable {
 
         // Deserialize array of code signers (if any)
         try {
-            this.signers = (CodeSigner[])ois.readObject();
+            this.signers = ((CodeSigner[])ois.readObject()).clone();
         } catch (IOException ioe) {
             // no signers present
         }
diff --git a/jdk/src/share/classes/java/security/Timestamp.java b/jdk/src/share/classes/java/security/Timestamp.java
index 1629d9bbff9..f66d2883e62 100644
--- a/jdk/src/share/classes/java/security/Timestamp.java
+++ b/jdk/src/share/classes/java/security/Timestamp.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -157,7 +157,8 @@ public final class Timestamp implements Serializable {
     // Explicitly reset hash code value to -1
     private void readObject(ObjectInputStream ois)
         throws IOException, ClassNotFoundException {
-     ois.defaultReadObject();
-     myhash = -1;
+        ois.defaultReadObject();
+        myhash = -1;
+        timestamp = new Date(timestamp.getTime());
     }
 }