On 22/11/2022 13:10, Gary D. Gregory wrote:
I am concerned that the recent fixes we've made through OSS fuzz and code
inspection to validate input are semantically incorrect: The verifier should
catch these errors, not the construction of Java objects. This could be a case
where fuzzing and low-level code inspections only appear to find issues but are
ignorant of the usage context.
Thoughts?
My understanding of the Javadocs was that these changes are consistent
with the documented behaviour.
ClassParser.parse() throws ClassFormatException if the class file is
malformed. I think all the recent changes come under this heading.
Verification is (mostly) concerned with the byte code in Code
attributes. Those are opaue to the parser.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
