Tree - rpms/bcel - CentOS Git server

rpms / bcel

Files

Commit: c997966e363c161184dbe932fce61cba3d20d65c
Blob Blame History Raw
From d98245e5c808816f0ec1382ada2cb893b01101d2 Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Thu, 1 Dec 2022 20:04:58 +0100
Subject: [PATCH] CVE-2022-42920

---
 src/java/org/apache/bcel/classfile/ConstantPool.java  | 11 +++++++++--
 src/java/org/apache/bcel/generic/ConstantPoolGen.java | 10 +++++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/bcel/classfile/ConstantPool.java b/src/java/org/apache/bcel/classfile/ConstantPool.java
index 8c666cf9..267227cd 100644
--- a/src/java/org/apache/bcel/classfile/ConstantPool.java
+++ b/src/java/org/apache/bcel/classfile/ConstantPool.java
@@ -198,8 +198,15 @@ public class ConstantPool implements Cloneable, Node, Serializable {
      * @throws IOException
      */
     public void dump( DataOutputStream file ) throws IOException {
-        file.writeShort(constant_pool_count);
-        for (int i = 1; i < constant_pool_count; i++) {
+        /*
+         * Constants over the size of the constant pool shall not be written out.
+         * This is a redundant measure as the ConstantPoolGen should have already
+         * reported an error back in the situation.
+        */
+        final int size = Math.min(constant_pool_count, Constants.MAX_CP_ENTRIES);
+
+        file.writeShort(size);
+        for (int i = 1; i < size; i++) {
             if (constant_pool[i] != null) {
                 constant_pool[i].dump(file);
             }
diff --git a/src/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/java/org/apache/bcel/generic/ConstantPoolGen.java
index fd533be8..a6960e50 100644
--- a/src/java/org/apache/bcel/generic/ConstantPoolGen.java
+++ b/src/java/org/apache/bcel/generic/ConstantPoolGen.java
@@ -76,7 +76,7 @@ public class ConstantPoolGen implements java.io.Serializable {
      */
     public ConstantPoolGen(Constant[] cs) {
         if (cs.length > size) {
-            size = cs.length;
+            size = Math.min(cs.length, Constants.MAX_CP_ENTRIES + 1);
             constants = new Constant[size];
         }
         System.arraycopy(cs, 0, constants, 0, cs.length);
@@ -156,9 +156,17 @@ public class ConstantPoolGen implements java.io.Serializable {
     /** Resize internal array of constants.
      */
     protected void adjustSize() {
+        // 3 extra spaces are needed as some entries may take 3 slots
+        if (index + 3 >= Constants.MAX_CP_ENTRIES + 1) {
+            throw new IllegalStateException("The number of constants " + (index + 3)
+                    + " is over the size of the constant pool: "
+                    + Constants.MAX_CP_ENTRIES);
+        }
         if (index + 3 >= size) {
             Constant[] cs = constants;
             size *= 2;
+            // the constant array shall not exceed the size of the constant pool
+            size = Math.min(size, Constants.MAX_CP_ENTRIES + 1);
             constants = new Constant[size];
             System.arraycopy(cs, 0, constants, 0, index);
         }
-- 
2.38.1
rpms / bcel

Source Code

Files
