JDK 6 (Mustang) introduces a new hashing function in the JDK HashMap class. This change exposed a bug in JDK ORB decoding when processing fragments.

The bug occurs when decoding a *final* message fragment where the difference between the current ByteBuffer position (ByteBuffer.position()) and value to increment the ByteBuffer position to align for a read of a given data type exceeds the ByteBuffer length (ByteBuffer.limit()).

Here is the offending code from CDRInputStream_1_2.alignAndCheck(int align, int n)

// determine how much to increment to the byte boundary position
int alignIncr = computeAlignment(bbwi.position(), align);

// increment ByteBuffer's position to byte alignment position
bbwi.position(bbwi.position() + alignIncr);

In the failing case, the ByteBuffer's limit/length is 26, bbwi.position() is 26 and computeAlignment(26, 8) returns a 2 as a result of align = 8 because we are trying to read a long from the ByteBuffer. In other words, we are trying to move bbwi.position() to position 28 which is beyond the ByteBuffer.limit. When we try to set the ByteBuffer position to 28 in the line of code, bbwi.position(bbwi.position() + alignIncr) an IllegalArgumentException is thrown by ByteBuffer.position(int position).
See bug 6425321 and 6407775 for related JDK HashMap information.