RFR: 8328874: Class::forName0 should validate the class name length early [v12]
Roger Riggs
rriggs at openjdk.org
Wed Sep 3 18:42:43 UTC 2025
On Fri, 29 Aug 2025 06:45:25 GMT, Guanqiang Han <ghan at openjdk.org> wrote:
>> Validate class name length immediately after GetStringUTFLength() in Class.forName0. This prevents potential issues caused by overly long class names before they reach later code that would reject them, throwing ClassNotFoundException early.
>
> Guanqiang Han has updated the pull request incrementally with one additional commit since the last revision:
>
> Update Class.java
>
> change overflow check
> /reviewers 2 reviewer
>
> I recommend putting this PR on hold - 65535 encoded size for modified utf8 is significant enough for a cross-JDK utility. As @rose00 suggested, I think I will explore adding a check in ClassFile API, and sharing the check with here.
A common boolean function is useful and can be better optimized.
The function should be in a common utility area, but the ClassFile API is a higher level API specific to class files.
Most developers won't think to look there. The jdk.internal.util.ModifiedUtf isn't a bad place for both the boolean function and the utfLen function.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/26802#issuecomment-3250349748
More information about the core-libs-dev
mailing list