...
The length of the new
Stringis a function of the charset, and hence may not be equal to the length of the byte array. The behavior of this constructor when the given bytes are not valid in the given charset is unspecified.
This guideline rule falls under EX0 of guideline rule FIO11-J. Do not attempt to read raw binary data as character data. Also, see the related guideline rule IDS13-J. Do not assume every character in a string is the same size for more information.
...
Search for vulnerabilities resulting from the violation of this guideline rule on the CERT website.
Bibliography
...