RFR 8223730 : URLClassLoader.findClass() can throw IndexOutOfBoundsException

Pavel Rappo pavel.rappo at oracle.com
Mon May 13 21:25:39 UTC 2019


Ivan,

This change looks good to me.

It's a pity we can't use 3-args InputStream.readNBytes here. Unrelated to your
change: it looks a bit wasteful to create a zero-length byte array only to throw
it away later. We could probably pre-size it or at least make it a `private
static final`?

-Pavel

> On 11 May 2019, at 23:07, Ivan Gerasimov <ivan.gerasimov at oracle.com> wrote:
> 
> Hello!
> 
> An integer overflow during array size calculation can happen in a case of loading extremely huge class file (which is unlikely in the real world).
> 
> It is possible to create a regression test (see the bug), though I doubt it would carry much weight while requiring much memory.
> 
> I did check manually that the POC runs fine with the patched JDK.
> 
> Would you please help review the fix?
> 
> BUGURL: https://bugs.openjdk.java.net/browse/JDK-8223730
> WEBREV: http://cr.openjdk.java.net/~igerasim/8223730/00/webrev/
> 
> -- 
> With kind regards,
> Ivan Gerasimov
> 



More information about the core-libs-dev mailing list