6 changed files with 4 additions and 134 deletions
--- a/.bcel.metadata
+++ b/.bcel.metadata
@ -0,0 +1 @@
 28802d52408952747671b95539bdda9b842cd25f SOURCES/bcel-6.4.1-src.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1,10 +1 @@
-/results_*
+SOURCES/bcel-6.4.1-src.tar.gz
 /*.src.rpm
 /bcel-5.2-src.tar.gz
 /bcel-1592769.tar.xz
 /bcel-6.1-src.tar.gz
 /bcel-6.2-src.tar.gz
 /bcel-6.3-src.tar.gz
 /bcel-6.3.1-src.tar.gz
 /bcel-6.4.1-src.tar.gz
--- a/0001-CVE-2022-42920.patch
+++ b/0001-CVE-2022-42920.patch
@ -1,71 +0,0 @@
 From 3a4e355796891149adfd9228633f179015293dbd Mon Sep 17 00:00:00 2001
 From: Richard Atkins <rjatkins359@gmail.com>
 Date: Wed, 21 Sep 2022 23:18:58 +1000
 Subject: [PATCH] CVE-2022-42920
 ---
 .../org/apache/bcel/classfile/ConstantPool.java   | 15 +++++++++++----
 .../org/apache/bcel/generic/ConstantPoolGen.java  | 11 ++++++++++-
 2 files changed, 21 insertions(+), 5 deletions(-)
 diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
 index f2c946a1..77ab0da4 100644
 --- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java
 +++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
@@ -218,10 +218,17 @@ public class ConstantPool implements Cloneable, Node {
      * @throws IOException
      */
     public void dump( final DataOutputStream file ) throws IOException {
 -        file.writeShort(constant_pool.length);
 -        for (int i = 1; i < constant_pool.length; i++) {
 -            if (constant_pool[i] != null) {
 -                constant_pool[i].dump(file);
 +        /*
 +         * Constants over the size of the constant pool shall not be written out.
 +         * This is a redundant measure as the ConstantPoolGen should have already
 +         * reported an error back in the situation.
 +        */
 +        final int size = Math.min(constant_pool.length, Const.MAX_CP_ENTRIES);
 +
 +        file.writeShort(size);
 +        for (int i = 1; i < size; i++) {
 +            if (constant_pool[i] != null) {
 +                constant_pool[i].dump(file);
             }
         }
     }
 diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
 index fd0af47e..d3189ba4 100644
 --- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
 +++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
@@ -95,7 +95,7 @@ public class ConstantPoolGen {
     public ConstantPoolGen(final Constant[] cs) {
         final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE);
 -        size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64);
 +        size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Const.MAX_CP_ENTRIES + 1);
         constants = new Constant[size];
         System.arraycopy(cs, 0, constants, 0, cs.length);
@@ -224,9 +224,18 @@ public class ConstantPoolGen {
     /** Resize internal array of constants.
      */
     protected void adjustSize() {
 +        // 3 extra spaces are needed as some entries may take 3 slots
 +        if (index + 3 >= Const.MAX_CP_ENTRIES + 1) {
 +            throw new IllegalStateException("The number of constants " + (index + 3)
 +                    + " is over the size of the constant pool: "
 +                    + Const.MAX_CP_ENTRIES);
 +        }
 +
         if (index + 3 >= size) {
             final Constant[] cs = constants;
             size *= 2;
 +            // the constant array shall not exceed the size of the constant pool
 +            size = Math.min(size, Const.MAX_CP_ENTRIES + 1);
             constants = new Constant[size];
             System.arraycopy(cs, 0, constants, 0, index);
         }
 -- 
 2.38.1
--- a/SPECS/bcel.spec
+++ b/SPECS/bcel.spec
@ -1,14 +1,12 @@
 Name:           bcel
 Version:        6.4.1
-Release:        9%{?dist}
+Release:        2%{?dist}
 Summary:        Byte Code Engineering Library
 License:        ASL 2.0
 URL:            http://commons.apache.org/proper/commons-bcel/
 BuildArch:      noarch
 Source0:        http://archive.apache.org/dist/commons/bcel/source/bcel-%{version}-src.tar.gz
-Patch1:         0001-CVE-2022-42920.patch
+BuildArch:      noarch
 BuildRequires:  maven-local
 BuildRequires:  mvn(org.apache.commons:commons-parent:pom:)
@ -37,7 +35,6 @@ This package provides %{summary}.
 %prep
 %setup -q -n %{name}-%{version}-src
 %patch1 -p1
 %pom_remove_plugin :maven-source-plugin
@ -58,45 +55,12 @@ This package provides %{summary}.
 %license LICENSE.txt NOTICE.txt
 %changelog
 * Thu Dec 01 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.4.1-9
 - Fix arbitrary bytecode produced via out-of-bounds writing
 - Resolves: CVE-2022-42920
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 6.4.1-8
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
 * Mon Jun 28 2021 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.4.1-7
 - Remove dependency on jna
 - Resolves: rhbz#1976996
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0:6.4.1-6
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.4.1-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.4.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Fri Jul 10 2020 Jiri Vanek <jvanek@redhat.com> - 0:6.4.1-3
 - Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.4.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.4.1-2
 - Mass rebuild for javapackages-tools 201902
 * Wed Oct 16 2019 Marian Koncek <mkoncek@redhat.com> - 6.4.1-1
 - Update to upstream version 6.4.1
 * Fri Oct 04 2019 Fabio Valentini <decathorpe@gmail.com> - 0:6.4.1-1
 - Update to version 6.4.1.
 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.3.1-2
 - Mass rebuild for javapackages-tools 201901
@ -108,12 +72,6 @@ This package provides %{summary}.
 - Update to upstream version 6.3
 - Fixes: RHBZ #1670025
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.2-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0:6.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
--- a/gating.yaml
+++ b/gating.yaml
@ -1,8 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-9
 decision_contexts:
  - osci_compose_gate
 rules:
  # https://docs.engineering.redhat.com/display/RHELPLAN/Maven+Bootstrap+manual+gating+test
  - !PassingTestCaseRule {test_case_name: manual.sst_cs_apps.maven.bootstrap}
--- a/1
+++ b/1
@ -1 +0,0 @@
 SHA512 (bcel-6.4.1-src.tar.gz) = 746987c314d3a2bd7308e5cd0b3403c915f09b5127af5980f986a81bccff91cca6098b636fd2f337e8e42f1e3600e8eac14b4f3b0564739b155955603a2e9b7f
		`@ -0,0 +1 @@`
							`28802d52408952747671b95539bdda9b842cd25f SOURCES/bcel-6.4.1-src.tar.gz`
		`@ -1 +0,0 @@`
			`SHA512 (bcel-6.4.1-src.tar.gz) = 746987c314d3a2bd7308e5cd0b3403c915f09b5127af5980f986a81bccff91cca6098b636fd2f337e8e42f1e3600e8eac14b4f3b0564739b155955603a2e9b7f`