RFR: 8328874: Class::forName0 should validate the class name length early [v12]

[Albert Mingkun Yang]

On Fri, 29 Aug 2025 06:45:25 GMT, Guanqiang Han <ghan at openjdk.org> wrote:

>> Validate class name length immediately after GetStringUTFLength() in Class.forName0. This prevents potential issues caused by overly long class names before they reach later code that would reject them, throwing ClassNotFoundException early.
>
> Guanqiang Han has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Update Class.java
>   
>   change overflow check

Two minor comments/suggestions. Looks good otherwise.

src/java.base/share/classes/java/lang/Class.java line 226:

> 224:     private static final int ENUM      = 0x00004000;
> 225:     private static final int SYNTHETIC = 0x00001000;
> 226:     private static final int JAVA_CLASSNAME_MAX_LEN = 65535;

Do we need a comment explaining where this magic number comes from?

src/java.base/share/classes/java/lang/Class.java line 4170:

> 4168:         // The check utfLen >= nameLen ensures we don't incorrectly return true in case of int overflow.
> 4169:         int utfLen = ModifiedUtf.utfLen(name, 0);
> 4170:         return utfLen <= JAVA_CLASSNAME_MAX_LEN && utfLen >= nameLen;

I would probably use early-return for the overflow case, sth like the following, to separate the normal logic from error-handling logic.


if (utfLen < nameLen) {
  // overflowing...
  return false;
}

return utfLen <= JAVA_CLASSNAME_MAX_LEN;

-------------

Marked as reviewed by ayang (Reviewer).

PR Review: https://git.openjdk.org/jdk/pull/26802#pullrequestreview-3179936966
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2318477446
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2318477926