On Mon, 3 Feb 2025 18:56:12 GMT, Chen Liang <li...@openjdk.org> wrote:
>> Shaojin Wen has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> skip coder change
>
> src/java.base/share/classes/java/lang/AbstractStringBuilder.java line 845:
>
>> 843: int spaceNeeded = count + DecimalDigits.stringSize(i);
>> 844: byte[] value = ensureCapacityInternal(spaceNeeded);
>> 845: if (isLatin1()) {
>
> This is not safe. The ensureCapacityInternal can read coder == LATIN1 and
> allocate a small array, but this `isLatin1` can read coder == UTF16 and write
> a UTF16 number out of bounds.
A check that `spaceNeeded <= (value.length >> 1)` in the `else` branch would
be needed and might be a sufficient safeguard here.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23427#discussion_r1940583666
