7u-cpu-7u-dev-sync-feb-3-backup3 Udiff jdk/src/share/classes/java/io/ObjectInputStream.java

jdk/src/share/classes/java/io/ObjectInputStream.java

rev 5725 : Merge

@@ -1748,10 +1748,16 @@
         }
 
         ObjectStreamClass desc = readClassDesc(false);
         desc.checkDeserialize();
 
+        Class<?> cl = desc.forClass();
+        if (cl == String.class || cl == Class.class
+                || cl == ObjectStreamClass.class) {
+            throw new InvalidClassException("invalid class descriptor");
+        }
+
         Object obj;
         try {
             obj = desc.isInstantiable() ? desc.newInstance() : null;
         } catch (Exception ex) {
             throw (IOException) new InvalidClassException(