Index: src/main/java/java/io/ObjectInputStream.java =================================================================== --- src/main/java/java/io/ObjectInputStream.java (revision 466152) +++ src/main/java/java/io/ObjectInputStream.java (working copy) @@ -1661,6 +1661,8 @@ newClassDesc.setClass(resolveClass(newClassDesc)); // Check SUIDs verifySUID(newClassDesc); + // Check base name of the class + verifyBaseName(newClassDesc); } catch (ClassNotFoundException e) { if (mustResolve) { throw e; @@ -2678,4 +2680,39 @@ localStreamClass)); } } + + /** + * Verify if the base name for descriptor loadedStreamClass + * matches the base name of the corresponding loaded class. + * + * @param loadedStreamClass + * An ObjectStreamClass that was loaded from the stream. + * + * @throws InvalidClassException + * If the base name of the stream class does not match the VM class + */ + private void verifyBaseName(ObjectStreamClass loadedStreamClass) + throws InvalidClassException { + Class localClass = loadedStreamClass.forClass(); + ObjectStreamClass localStreamClass = ObjectStreamClass + .lookupStreamClass(localClass); + String loadedClassBaseName = getBaseName(loadedStreamClass.getName()); + String localClassBaseName = getBaseName(localStreamClass.getName()); + + if (!loadedClassBaseName.equals(localClassBaseName)) { + throw new InvalidClassException(loadedStreamClass.getName(), Msg + .getString("KA014", loadedClassBaseName, //$NON-NLS-1$ + localClassBaseName)); + } + } + + private static String getBaseName(String fullName) { + int k = fullName.lastIndexOf("."); + + if (k == -1 || k == (fullName.length() - 1)) { + return fullName; + } else { + return fullName.substring(k + 1); + } + } } Index: src/main/java/org/apache/harmony/luni/util/ExternalMessages.properties =================================================================== --- src/main/java/org/apache/harmony/luni/util/ExternalMessages.properties (revision 466152) +++ src/main/java/org/apache/harmony/luni/util/ExternalMessages.properties (working copy) @@ -305,4 +305,5 @@ KA011=Malformed reply from SOCKS server KA012=No such file or directory KA013=Number of bytes to skip cannot be negative +KA014=Incompatible class (base name)\: {0} but expected {1}