From 39edc8d2b5b7cc550453e5027181b9779ed61bf8 Mon Sep 17 00:00:00 2001 From: Stuart Marks Date: Thu, 8 Nov 2012 15:41:01 -0800 Subject: [PATCH] 7201070: Serialization to conform to protocol Reviewed-by: dmocek, ahgross, skoivu --- jdk/src/share/classes/java/io/ObjectInputStream.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/jdk/src/share/classes/java/io/ObjectInputStream.java b/jdk/src/share/classes/java/io/ObjectInputStream.java index 1963187eaaa..1125bb04616 100644 --- a/jdk/src/share/classes/java/io/ObjectInputStream.java +++ b/jdk/src/share/classes/java/io/ObjectInputStream.java @@ -1752,6 +1752,12 @@ public class ObjectInputStream ObjectStreamClass desc = readClassDesc(false); desc.checkDeserialize(); + Class cl = desc.forClass(); + if (cl == String.class || cl == Class.class + || cl == ObjectStreamClass.class) { + throw new InvalidClassException("invalid class descriptor"); + } + Object obj; try { obj = desc.isInstantiable() ? desc.newInstance() : null;