RFR 8223730 : URLClassLoader.findClass() can throw IndexOutOfBoundsException
Pavel Rappo
pavel.rappo at oracle.com
Mon May 13 21:25:39 UTC 2019
Ivan,
This change looks good to me.
It's a pity we can't use 3-args InputStream.readNBytes here. Unrelated to your
change: it looks a bit wasteful to create a zero-length byte array only to throw
it away later. We could probably pre-size it or at least make it a `private
static final`?
-Pavel
> On 11 May 2019, at 23:07, Ivan Gerasimov <ivan.gerasimov at oracle.com> wrote:
>
> Hello!
>
> An integer overflow during array size calculation can happen in a case of loading extremely huge class file (which is unlikely in the real world).
>
> It is possible to create a regression test (see the bug), though I doubt it would carry much weight while requiring much memory.
>
> I did check manually that the POC runs fine with the patched JDK.
>
> Would you please help review the fix?
>
> BUGURL: https://bugs.openjdk.java.net/browse/JDK-8223730
> WEBREV: http://cr.openjdk.java.net/~igerasim/8223730/00/webrev/
>
> --
> With kind regards,
> Ivan Gerasimov
>
More information about the core-libs-dev
mailing list