From 063d3cc59aad88f02bc82bc6e417a828dae9ef2d Mon Sep 17 00:00:00 2001
From: Alexander Kriegisch <Alexander@Kriegisch.name>
Date: Sun, 13 Nov 2022 11:28:22 +0100
Subject: Address upstream BCEL vulnerability CVE-2022-42920

Fixes #192.

See https://github.com/advisories/GHSA-97xg-phpr-rg8q.
See https://issues.apache.org/jira/browse/BCEL-363.
See https://github.com/apache/commons-bcel/pull/147.

Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>
---
 .../apache/bcel/classfile/ConstantPool.java        | 25 ++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java b/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java
index f8894def4..5b434651e 100644
--- a/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java
+++ b/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java
@@ -59,6 +59,7 @@ import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
 
+import com.sun.org.apache.bcel.internal.Const;
 import org.aspectj.apache.bcel.Constants;
 import org.aspectj.apache.bcel.generic.ArrayType;
 import org.aspectj.apache.bcel.generic.ObjectType;
@@ -288,8 +289,14 @@ public class ConstantPool implements Node {
 	} // TEMPORARY, DONT LIKE PASSING THIS DATA OUT!
 
 	public void dump(DataOutputStream file) throws IOException {
-		file.writeShort(poolSize);
-		for (int i = 1; i < poolSize; i++)
+		/*
+		 * Constants over the size of the constant pool shall not be written out.
+		 * This is a redundant measure as the ConstantPoolGen should have already
+		 * reported an error back in the situation.
+		 */
+		final int size = Math.min(poolSize, Const.MAX_CP_ENTRIES);
+		file.writeShort(size);
+		for (int i = 1; i < size; i++)
 			if (pool[i] != null)
 				pool[i].dump(file);
 	}
@@ -417,9 +424,19 @@ public class ConstantPool implements Node {
 	}
 
 	private void adjustSize() {
-		if (poolSize + 3 >= pool.length) {
+    // 3 extra spaces are needed as some entries may take 3 slots
+    if (poolSize + 3 >= Const.MAX_CP_ENTRIES + 1) {
+      throw new IllegalStateException(
+        "The number of constants " + (poolSize + 3) +
+        " is over the size of the constant pool: " + Const.MAX_CP_ENTRIES
+      );
+    }
+    if (poolSize + 3 >= pool.length) {
 			Constant[] cs = pool;
-			pool = new Constant[cs.length + 8];
+			int size = cs.length + 8;
+			// the constant array shall not exceed the size of the constant pool
+			size = Math.min(size, Const.MAX_CP_ENTRIES + 1);
+			pool = new Constant[size];
 			System.arraycopy(cs, 0, pool, 0, cs.length);
 		}
 		if (poolSize == 0)
-- 
cgit v1.2.3