It is possible to make URLClassLoader.findClass() to throw unexpected IndexOutOfBoundsException.

This is because jdk.internal.loader.Resource.getBytes() fails to handle integer overflow when allocating memory.

Here's a simple reproducer:

$ touch LARGE.class
$ truncate -s 2147483647 LARGE.class
$ jar -c -f JAR.jar LARGE.class
$ javac POC.java
$ java -Xms5G POC
Exception in thread "main" java.lang.IndexOutOfBoundsException
    at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:147)
    at java.base/jdk.internal.loader.Resource.getBytes(Resource.java:124)
    at java.base/java.net.URLClassLoader.defineClass(URLClassLoader.java:510)
    at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:423)
    at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:417)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:690)
    at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:416)
    at MyCL.<init>(POC.java:13)
    at POC.main(POC.java:6)


where POC.java is:
----------------
import java.net.*;
import java.io.*;

public class POC {
    public static void main(String[] args) throws Throwable {
        var cl = new MyCL();
    }
}

class MyCL extends URLClassLoader {
    public MyCL() throws Throwable {
        super(new URL[] {new URL("file:JAR.jar")});
        findClass("LARGE");
    }
}
----------------

The expected exception here would be either OutOfMemoryError or ClassFormatError.