From d36f02eb2137a1646cfbba1bbb95b44e241bfc62 Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Thu, 1 Dec 2022 20:15:50 +0100
Subject: [PATCH] Fix arbitrary bytecode produced via out-of-bounds writing

Resolves: CVE-2022-42920
---
 0001-CVE-2022-42920.patch | 67 +++++++++++++++++++++++++++++++++++++++
 bcel.spec                 |  9 +++++-
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 0001-CVE-2022-42920.patch

diff --git a/0001-CVE-2022-42920.patch b/0001-CVE-2022-42920.patch
new file mode 100644
index 0000000..8c64097
--- /dev/null
+++ b/0001-CVE-2022-42920.patch
@@ -0,0 +1,67 @@
+From 60a3e8874e1646c1198252e531029a6f78ff7a51 Mon Sep 17 00:00:00 2001
+From: Richard Atkins <rjatkins359@gmail.com>
+Date: Wed, 21 Sep 2022 23:18:58 +1000
+Subject: [PATCH] CVE-2022-42920
+
+---
+ .../java/org/apache/bcel/classfile/ConstantPool.java  | 11 +++++++++--
+ .../java/org/apache/bcel/generic/ConstantPoolGen.java | 11 ++++++++++-
+ 2 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+index c2926c08..b4177771 100644
+--- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java
++++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+@@ -218,8 +218,15 @@ public class ConstantPool implements Cloneable, Node {
+      * @throws IOException
+      */
+     public void dump( final DataOutputStream file ) throws IOException {
+-        file.writeShort(constantPool.length);
+-        for (int i = 1; i < constantPool.length; i++) {
++        /*
++         * Constants over the size of the constant pool shall not be written out.
++         * This is a redundant measure as the ConstantPoolGen should have already
++         * reported an error back in the situation.
++        */
++        final int size = Math.min(constantPool.length, Const.MAX_CP_ENTRIES);
++
++        file.writeShort(size);
++        for (int i = 1; i < size; i++) {
+             if (constantPool[i] != null) {
+                 constantPool[i].dump(file);
+             }
+diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+index 5a09e0d3..ce783549 100644
+--- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
++++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+@@ -95,7 +95,7 @@ public class ConstantPoolGen {
+     public ConstantPoolGen(final Constant[] cs) {
+         final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE);
+ 
+-        size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64);
++        size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Const.MAX_CP_ENTRIES + 1);
+         constants = new Constant[size];
+ 
+         System.arraycopy(cs, 0, constants, 0, cs.length);
+@@ -224,9 +224,18 @@ public class ConstantPoolGen {
+     /** Resize internal array of constants.
+      */
+     protected void adjustSize() {
++        // 3 extra spaces are needed as some entries may take 3 slots
++        if (index + 3 >= Const.MAX_CP_ENTRIES + 1) {
++            throw new IllegalStateException("The number of constants " + (index + 3)
++                    + " is over the size of the constant pool: "
++                    + Const.MAX_CP_ENTRIES);
++        }
++
+         if (index + 3 >= size) {
+             final Constant[] cs = constants;
+             size *= 2;
++            // the constant array shall not exceed the size of the constant pool
++            size = Math.min(size, Const.MAX_CP_ENTRIES + 1);
+             constants = new Constant[size];
+             System.arraycopy(cs, 0, constants, 0, index);
+         }
+-- 
+2.38.1
+
diff --git a/bcel.spec b/bcel.spec
index 0f13262..6d131a4 100644
--- a/bcel.spec
+++ b/bcel.spec
@@ -1,6 +1,6 @@
 Name:           bcel
 Version:        6.5.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Byte Code Engineering Library
 License:        ASL 2.0
 URL:            http://commons.apache.org/proper/commons-bcel/
@@ -9,6 +9,8 @@ ExclusiveArch:  %{java_arches} noarch
 
 Source0:        http://archive.apache.org/dist/commons/bcel/source/bcel-%{version}-src.tar.gz
 
+Patch1:         0001-CVE-2022-42920.patch
+
 BuildRequires:  maven-local
 BuildRequires:  mvn(org.apache.commons:commons-parent:pom:)
 
@@ -36,6 +38,7 @@ This package provides %{summary}.
 
 %prep
 %setup -q -n %{name}-%{version}-src
+%patch1 -p1
 
 %pom_remove_plugin :maven-source-plugin
 %pom_remove_plugin :spotbugs-maven-plugin
@@ -57,6 +60,10 @@ This package provides %{summary}.
 %license LICENSE.txt NOTICE.txt
 
 %changelog
+* Thu Dec 01 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.5.0-3
+- Fix arbitrary bytecode produced via out-of-bounds writing
+- Resolves: CVE-2022-42920
+
 * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.5.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild