Re: RFR: 8328874: Class::forName0 should validate the class name length early [v13]

Thu, 04 Sep 2025 10:35:46 -0700 

On Thu, 4 Sep 2025 13:22:08 GMT, Guanqiang Han <g...@openjdk.org> wrote:

>> Validate class name length immediately after GetStringUTFLength() in 
>> Class.forName0. This prevents potential issues caused by overly long class 
>> names before they reach later code that would reject them, throwing 
>> ClassNotFoundException early.
>
> Guanqiang Han has updated the pull request with a new target base due to a 
> merge or a rebase. The incremental webrev excludes the unrelated changes 
> brought in by the merge/rebase. The pull request contains 16 additional 
> commits since the last revision:
> 
>  - move common method into a common file.
>  - Merge remote-tracking branch 'upstream/master' into 8328874
>  - Update Class.java
>    
>    change overflow check
>  - Update Class.java
>    
>    Simplify length check
>  - Update Class.java
>    
>    avoid the case of int overflow
>  - Update Class.java
>    
>    Use ModifiedUtf.utfLen instead of static import for readability
>  - change copyright year
>  - a small fix
>  - add regression test
>  - Merge remote-tracking branch 'upstream/master' into 8328874
>  - ... and 6 more: https://git.openjdk.org/jdk/compare/829295d7...edc1694d

src/java.base/share/classes/jdk/internal/util/ModifiedUtf.java line 37:

> 35: public abstract class ModifiedUtf {
> 36:     //Max length in Modified UTF-8 bytes for class names.(see 
> max_symbol_length in symbol.hpp)
> 37:     public static final int JAVA_CLASSNAME_MAX_LEN = 65535;

max_symbol_length is not just class names - it is presumably the limit for 
modified UTF-8, as seen in `java.io.DataOutput::writeUTF`. We can just use a 
more generic name like `MAX_ENCODED_LENGTH`.

src/java.base/share/classes/jdk/internal/util/ModifiedUtf.java line 80:

> 78:      */
> 79:     @ForceInline
> 80:     public static boolean classNameLengthIsValid(String name) {

This can be reused by `DataOutput` too, so maybe just `isEncodable`

src/java.base/share/classes/jdk/internal/util/ModifiedUtf.java line 87:

> 85:             return true;
> 86:         }
> 87:         // Check exact Modified UTF-8 length.

Before doing that, I recommend another fast path `if (nameLen > MAX_LEN) return 
false`.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2322427947
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2322433506
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2322433856

Reply via email to