RFR: 8328874: Class::forName0 should validate the class name length early [v10]
Guanqiang Han
ghan at openjdk.org
Thu Aug 28 15:36:29 UTC 2025
On Thu, 28 Aug 2025 13:52:37 GMT, Roger Riggs <rriggs at openjdk.org> wrote:
>> Guanqiang Han has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update Class.java
>>
>> avoid the case of int overflow
>
> src/java.base/share/classes/java/lang/Class.java line 4170:
>
>> 4168: // The check utfLen >= nameLen ensures we don't incorrectly return true in case of int overflow.
>> 4169: int utfLen = ModifiedUtf.utfLen(name, 0);
>> 4170: return utfLen <= JAVA_CLASSNAME_MAX_LEN && utfLen >= nameLen;
>
> A typical overflow-conscious idiom is to subtract the unknown value from the known positive number and compare with 0.
> Suggestion:
>
> int utfLen = ModifiedUtf.utfLen(name, 0);
> return JAVA_CLASSNAME_MAX_LEN - utfLen >= 0;
@RogerRiggs Good catch! Fixed.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2307802875
More information about the core-libs-dev
mailing list