From 063d3cc59aad88f02bc82bc6e417a828dae9ef2d Mon Sep 17 00:00:00 2001 From: Alexander Kriegisch Date: Sun, 13 Nov 2022 11:28:22 +0100 Subject: Address upstream BCEL vulnerability CVE-2022-42920 Fixes #192. See https://github.com/advisories/GHSA-97xg-phpr-rg8q. See https://issues.apache.org/jira/browse/BCEL-363. See https://github.com/apache/commons-bcel/pull/147. Signed-off-by: Alexander Kriegisch --- .../apache/bcel/classfile/ConstantPool.java | 25 ++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) (limited to 'bcel-builder') diff --git a/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java b/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java index f8894def4..5b434651e 100644 --- a/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java +++ b/bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java @@ -59,6 +59,7 @@ import java.io.IOException; import java.util.HashMap; import java.util.Map; +import com.sun.org.apache.bcel.internal.Const; import org.aspectj.apache.bcel.Constants; import org.aspectj.apache.bcel.generic.ArrayType; import org.aspectj.apache.bcel.generic.ObjectType; @@ -288,8 +289,14 @@ public class ConstantPool implements Node { } // TEMPORARY, DONT LIKE PASSING THIS DATA OUT! public void dump(DataOutputStream file) throws IOException { - file.writeShort(poolSize); - for (int i = 1; i < poolSize; i++) + /* + * Constants over the size of the constant pool shall not be written out. + * This is a redundant measure as the ConstantPoolGen should have already + * reported an error back in the situation. + */ + final int size = Math.min(poolSize, Const.MAX_CP_ENTRIES); + file.writeShort(size); + for (int i = 1; i < size; i++) if (pool[i] != null) pool[i].dump(file); } @@ -417,9 +424,19 @@ public class ConstantPool implements Node { } private void adjustSize() { - if (poolSize + 3 >= pool.length) { + // 3 extra spaces are needed as some entries may take 3 slots + if (poolSize + 3 >= Const.MAX_CP_ENTRIES + 1) { + throw new IllegalStateException( + "The number of constants " + (poolSize + 3) + + " is over the size of the constant pool: " + Const.MAX_CP_ENTRIES + ); + } + if (poolSize + 3 >= pool.length) { Constant[] cs = pool; - pool = new Constant[cs.length + 8]; + int size = cs.length + 8; + // the constant array shall not exceed the size of the constant pool + size = Math.min(size, Const.MAX_CP_ENTRIES + 1); + pool = new Constant[size]; System.arraycopy(cs, 0, pool, 0, cs.length); } if (poolSize == 0) -- cgit v1.2.3