RFR: 8328874: Class::forName0 should validate the class name length early [v10]
Roger Riggs
rriggs at openjdk.org
Thu Aug 28 13:55:47 UTC 2025
On Thu, 28 Aug 2025 03:59:40 GMT, Guanqiang Han <ghan at openjdk.org> wrote:
>> Validate class name length immediately after GetStringUTFLength() in Class.forName0. This prevents potential issues caused by overly long class names before they reach later code that would reject them, throwing ClassNotFoundException early.
>
> Guanqiang Han has updated the pull request incrementally with one additional commit since the last revision:
>
> Update Class.java
>
> avoid the case of int overflow
src/java.base/share/classes/java/lang/Class.java line 4170:
> 4168: // The check utfLen >= nameLen ensures we don't incorrectly return true in case of int overflow.
> 4169: int utfLen = ModifiedUtf.utfLen(name, 0);
> 4170: return utfLen <= JAVA_CLASSNAME_MAX_LEN && utfLen >= nameLen;
A typical overflow-conscious idiom is to subtract the unknown value from the known positive number and compare with 0.
Suggestion:
int utfLen = ModifiedUtf.utfLen(name, 0);
return JAVA_CLASSNAME_MAX_LEN - utfLen >= 0;
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2307490649
More information about the core-libs-dev
mailing list