Re: RFR: 8328874: Class::forName0 should validate the class name length early [v4]

Roger Riggs Tue, 19 Aug 2025 16:41:08 -0700

On Tue, 19 Aug 2025 15:20:52 GMT, Guanqiang Han <g...@openjdk.org> wrote:


>> Validate class name length immediately after GetStringUTFLength() in 
>> Class.forName0. This prevents potential issues caused by overly long class 
>> names before they reach later code that would reject them, throwing 
>> ClassNotFoundException early.
>
> Guanqiang Han has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Update Class.java
>   
>   correct length of class name

src/java.base/share/classes/java/lang/Class.java line 4160:

> 4158:     private static boolean classNameLengthIsValid(String name) {
> 4159:         Objects.requireNonNull(name);
> 4160:         return getUtf8Length(name) <= JAVA_CLASSNAME_MAX_LEN;

An exact UTF-8 length is not needed to know that the length is valid.
The worst case expansion is *4 for an encoding of a pair of surrogate chars.
A quick approximation would be: `name.length() <= JAVA_CLASSNAME_MAX_LEN / 4`.
Most class names are much shorter and almost never need to compute the exact 
UTF-8 length.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26802#discussion_r2286624874

Re: RFR: 8328874: Class::forName0 should validate the class name length early [v4]

Reply via email to