RFR: 8328874: Class::forName0 should validate the class name length early [v2]
Guanqiang Han
ghan at openjdk.org
Tue Aug 19 15:24:40 UTC 2025
On Tue, 19 Aug 2025 13:10:31 GMT, ExE Boss <duke at openjdk.org> wrote:
>> Guanqiang Han has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
>>
>> - move check into java side
>> - Merge remote-tracking branch 'upstream/master' into 8328874
>> - 8328874: Class::forName0 should validate the class name length early
>>
>> Validate class name length immediately after GetStringUTFLength() in Class.forName0. This prevents potential issues caused by overly long class names before they reach later code that would reject them, throwing ClassNotFoundException early.
>
> src/java.base/share/classes/java/lang/Class.java line 4160:
>
>> 4158: private static boolean classNameLengthIsValid(String name) {
>> 4159: Objects.requireNonNull(name);
>> 4160: return name.length() <= JAVA_CLASSNAME_MAX_LEN;
>
> This check is incorrect, as the `JAVA_CLASSNAME_MAX_LEN` applies to the Modified UTF‑8 length, rather than the UTF‑16 length.
@ExE-Boss Good catch — you’re right, this should check the Modified UTF-8 length rather than the UTF-16 length. I have updated the implementation accordingly,please take another look.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2285607194
More information about the core-libs-dev
mailing list