RFR: 8323706: Remove SimpleSelector and CompoundSelector classes [v7]

John Hendrikx jhendrikx at openjdk.org
Wed Aug 7 23:01:36 UTC 2024


On Wed, 7 Aug 2024 22:27:10 GMT, Andy Goryachev <angorya at openjdk.org> wrote:

>> John Hendrikx has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Fix bug
>
> modules/javafx.graphics/src/main/java/com/sun/javafx/css/BinarySerializer.java line 106:
> 
>> 104:              */
>> 105: 
>> 106:             is.readByte();
> 
> should we still check the value and throw an IOE if it is wrong _for security reasons_?

I'm not entirely sure what security reasons you may be referring to; we're not instantiating classes by string for example, and Java doesn't suffer from out of bounds memory accesses due to a bad interpretation of a binary format.

However, this code is a bit more lenient than the original.  The original code would deserialize this as a `CompoundSelector` but then subsequently fail with a `ClassCastException` as it assumes it will be a `SimpleSelector`. I could make it fully compatible in this regard, although it is extremely unlikely that there are any bad files out there where this would apply (as the old implementation would never load it).

Anyway, I'm fine with rejecting values that are not `TYPE_SIMPLE`.

-------------

PR Review Comment: https://git.openjdk.org/jfx/pull/1333#discussion_r1708062962


More information about the openjfx-dev mailing list