On Tue, 19 Aug 2025 12:54:22 GMT, Guanqiang Han <g...@openjdk.org> wrote:
>> Validate class name length immediately after GetStringUTFLength() in
>> Class.forName0. This prevents potential issues caused by overly long class
>> names before they reach later code that would reject them, throwing
>> ClassNotFoundException early.
>
> Guanqiang Han has updated the pull request with a new target base due to a
> merge or a rebase. The incremental webrev excludes the unrelated changes
> brought in by the merge/rebase. The pull request contains three additional
> commits since the last revision:
>
> - move check into java side
> - Merge remote-tracking branch 'upstream/master' into 8328874
> - 8328874: Class::forName0 should validate the class name length early
>
> Validate class name length immediately after GetStringUTFLength() in
> Class.forName0. This prevents potential issues caused by overly long class
> names before they reach later code that would reject them, throwing
> ClassNotFoundException early.
src/java.base/share/classes/java/lang/Class.java line 4160:
> 4158: private static boolean classNameLengthIsValid(String name) {
> 4159: Objects.requireNonNull(name);
> 4160: return name.length() <= JAVA_CLASSNAME_MAX_LEN;
This check is incorrect, as the `JAVA_CLASSNAME_MAX_LEN` applies to the
Modified UTF‑8 length, rather than the UTF‑16 length.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2285226775
