RFR: JDK-8346465 : Add a check in setData() to restrict the update of Built-In ICC_Profiles [v16]

Alexey Ivanov aivanov at openjdk.org
Tue Mar 11 21:14:02 UTC 2025 

On Tue, 11 Mar 2025 21:08:42 GMT, Harshitha Onkar <honkar at openjdk.org> wrote:

>> Built-in Profiles are singleton objects and if the user happens to modify this shared profile object via setData() then the modified version of the profile is returned each time the same built-in profile is requested via getInstance().
>> 
>> It is good to protect Built-in profiles from such direct modification by adding BuiltIn profile check in `setData()` such that **only copies** of Built-In profiles are allowed to be updated.
>> 
>> With the proposed fix, if Built-In profile is updated using `.setData()` it throws _**IAE - "BuiltIn profile cannot be modified"**_
>> 
>> There are no restrictions on creating copies of BuiltIn profile and then modifying it, but what is being restricted with this fix is - the direct modification of the shared BuiltIn profile instance.
>> 
>> Applications which need a modified version of the ICC Profile should instead do the following:
>> 
>> 
>> byte[] profileData = ICC_Profile.getData() // get the byte array representation of BuiltIn- profile
>> ICCProfile newProfile = ICC_Profile.getInstance(profileData) // create a new profile
>> newProfile.setData() // to modify and customize the profile
>> 
>> 
>> Following existing tests are modified to update a copy of Built-In profile.
>> 
>> - java/awt/color/ICC_Profile/SetHeaderInfo.java
>> - java/awt/color/ICC_ProfileSetNullDataTest.java
>> - sun/java2d/cmm/ProfileOp/SetDataTest.java
>
> Harshitha Onkar has updated the pull request incrementally with one additional commit since the last revision:
> 
>   modifier order changed, added comment to BuiltInProfile

src/java.desktop/share/classes/java/awt/color/ICC_Profile.java line 126:

> 124:         /*
> 125:          * Deferral is only used for standard profiles. Enabling the appropriate
> 126:          * access privileges is handled at a lower level.

I wonder if “Enabling the appropriate access privileges is handled at a lower level” is still relevant after `SecurityManager` was removed.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23606#discussion_r1990133673

More information about the client-libs-dev mailing list