On Wed, 7 Aug 2024 22:27:10 GMT, Andy Goryachev <ango...@openjdk.org> wrote:
>> John Hendrikx has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Fix bug > > modules/javafx.graphics/src/main/java/com/sun/javafx/css/BinarySerializer.java > line 106: > >> 104: */ >> 105: >> 106: is.readByte(); > > should we still check the value and throw an IOE if it is wrong _for security > reasons_? I'm not entirely sure what security reasons you may be referring to; we're not instantiating classes by string for example, and Java doesn't suffer from out of bounds memory accesses due to a bad interpretation of a binary format. However, this code is a bit more lenient than the original. The original code would deserialize this as a `CompoundSelector` but then subsequently fail with a `ClassCastException` as it assumes it will be a `SimpleSelector`. I could make it fully compatible in this regard, although it is extremely unlikely that there are any bad files out there where this would apply (as the old implementation would never load it). Anyway, I'm fine with rejecting values that are not `TYPE_SIMPLE`. ------------- PR Review Comment: https://git.openjdk.org/jfx/pull/1333#discussion_r1708062962
