RFR: JDK-8347377 : Add validation checks for ICC_Profile header fields [v3]
Harshitha Onkar
honkar at openjdk.org
Thu Jan 16 02:25:41 UTC 2025
On Thu, 16 Jan 2025 00:14:31 GMT, Phil Race <prr at openjdk.org> wrote:
>> Added 2 more cases that tests loading a profile using ICC_Profile.getInstance(byte[] data)
>> Now we hit the code path where verifyHeader() is called within getInstance().
>> Also , I did test by directly loading a profile from a file - ICC_Profile.getInstance("sRGB.pf") and it works fine.
>>
>> Did you mean this code path or something else?
>
> I *think* what he means is that a profile with a now rejected header might allowed on JDK 21,
> and serialised on JDK 21 and when deserialised on JDK 25 (with this change) it is then rejected.
>
> Since it is unlikely the profile actually worked properly anyway on JDK 21, I don't think that would be an issue except for contrived tests, and is an insufficient reason to not make this change.
> Also if we were to consider backporting this to 21u then they'd not be able to serialise it.
> If we get a bug report on serialisation with a legitimate case, we can take another look.
Makes sense - Serialization and deserialization on different versions of JDK.
Thanks for clarifying.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23044#discussion_r1917573088
More information about the client-libs-dev
mailing list