# HG changeset patch
# User mbankal
# Date 1311935636 25200
# Node ID 9515a2d034b4727c11aeea36354a549fbc469c4f
# Parent  cefc5a3747ced551a673560d91f0caa5deedc451
7055902: ZDI-CAN-1253: Oracle Java IIOP Deserialization Type Confusion Remote Code Execution Vulnerability
Reviewed-by: coffeys

diff -r cefc5a3747ce -r 9515a2d034b4 src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java
--- a/src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java	Tue Jun 28 11:24:48 2011 -0700
+++ b/src/share/classes/com/sun/corba/se/impl/io/IIOPInputStream.java	Fri Jul 29 03:33:56 2011 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2243,6 +2243,10 @@
                 }
 
                 try {
+                    Class fieldCl = fields[i].getClazz();
+                    if (objectValue != null && !fieldCl.isInstance(objectValue)) {
+                        throw new IllegalArgumentException();
+                    }
                     bridge.putObject( o, fields[i].getFieldID(), objectValue ) ;
                     // reflective code: fields[i].getField().set( o, objectValue ) ;
                 } catch (IllegalArgumentException e) {
@@ -2553,6 +2557,10 @@
     {
         try {
             Field fld = c.getDeclaredField( fieldName ) ;
+            Class fieldCl = fld.getType();
+            if(v != null && !fieldCl.isInstance(v)) {
+                throw new Exception();
+            }
             long key = bridge.objectFieldOffset( fld ) ;
             bridge.putObject( o, key, v ) ;
         } catch (Exception e) {