Hi,
Please review the following fix in JDK9 at your convenience: Bug : https://bugs.openjdk.java.net/browse/JDK-8160455 Webrev : http://cr.openjdk.java.net/~jdv/8160455/webrev.00/ Root cause : We are directly getting string present in XML DOM tree from attribute "tagSets" and creating class from it using class.forName(). XML DOM tree string can be an invalid also which we don't check. Solution : Verify whether the string from XML DOM tree maps to any of the subclasses of "TIFFTagSet" before initializing the class using isAssignableFrom(). This adds tighter check before initializing the class from XML DOM tree string. Thanks, Jay