--- old/jdk/src/share/classes/java/io/ObjectInputStream.java	2013-02-07 17:06:52.000000000 +0100
+++ new/jdk/src/share/classes/java/io/ObjectInputStream.java	2013-02-07 17:06:51.000000000 +0100
@@ -1750,6 +1750,12 @@
         ObjectStreamClass desc = readClassDesc(false);
         desc.checkDeserialize();
 
+        Class<?> cl = desc.forClass();
+        if (cl == String.class || cl == Class.class
+                || cl == ObjectStreamClass.class) {
+            throw new InvalidClassException("invalid class descriptor");
+        }
+
         Object obj;
         try {
             obj = desc.isInstantiable() ? desc.newInstance() : null;