RFR: 8328874: Class::forName0 should validate the class name length early [v15]
Chen Liang
liach at openjdk.org
Mon Sep 8 18:06:15 UTC 2025
On Sun, 7 Sep 2025 14:50:56 GMT, Guanqiang Han <ghan at openjdk.org> wrote:
>> Validate class name length immediately after GetStringUTFLength() in Class.forName0. This prevents potential issues caused by overly long class names before they reach later code that would reject them, throwing ClassNotFoundException early.
>
> Guanqiang Han has updated the pull request incrementally with one additional commit since the last revision:
>
> Use a different native method for testNative, since the implementation of forName has changed.
The production code looks good. Tests seem to be too reliant on the exact exception message (which is deemed an antipattern sometimes) but I think we can tweak those tests when they run into problems due to other changes later.
src/java.base/share/classes/java/lang/Class.java line 4162:
> 4160: if (!ModifiedUtf.isValidLengthInConstantPool(name)) {
> 4161: throw new ClassNotFoundException(
> 4162: "Class name length exceeds limit of " + ModifiedUtf.CONSTANT_POOL_UTF8_MAX_BYTES);
Suggestion:
"Class name length exceeds limit of " + ModifiedUtf.CONSTANT_POOL_UTF8_MAX_BYTES + ": " + name);
-------------
Marked as reviewed by liach (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/26802#pullrequestreview-3194575026
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2328827911
More information about the core-libs-dev
mailing list