File CVE-2025-48924.patch of Package apache-commons-lang.39688
--- commons-lang-2.6-src/src/main/java/org/apache/commons/lang/ClassUtils.java 2025-07-15 19:04:34.731843418 +0200
+++ commons-lang-2.6-src/src/main/java/org/apache/commons/lang/ClassUtils.java 2025-07-15 20:21:54.425583478 +0200
@@ -748,30 +748,27 @@
*/
public static Class getClass(
ClassLoader classLoader, String className, boolean initialize) throws ClassNotFoundException {
+ // This method was re-written to avoid recursion and stack overflows found by fuzz testing.
+ String next = className;
+ int lastDotIndex = -1;
+ do {
try {
Class clazz;
- if (abbreviationMap.containsKey(className)) {
- String clsName = "[" + abbreviationMap.get(className);
+ if (abbreviationMap.containsKey(next)) {
+ String clsName = "[" + abbreviationMap.get(next);
clazz = Class.forName(clsName, initialize, classLoader).getComponentType();
} else {
- clazz = Class.forName(toCanonicalName(className), initialize, classLoader);
+ clazz = Class.forName(toCanonicalName(next), initialize, classLoader);
}
return clazz;
} catch (ClassNotFoundException ex) {
- // allow path separators (.) as inner class name separators
- int lastDotIndex = className.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
-
+ lastDotIndex = next.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
if (lastDotIndex != -1) {
- try {
- return getClass(classLoader, className.substring(0, lastDotIndex) +
- INNER_CLASS_SEPARATOR_CHAR + className.substring(lastDotIndex + 1),
- initialize);
- } catch (ClassNotFoundException ex2) {
+ next = next.substring(0, lastDotIndex) + INNER_CLASS_SEPARATOR_CHAR + next.substring(lastDotIndex + 1);
}
}
-
- throw ex;
- }
+ } while (lastDotIndex != -1);
+ throw new ClassNotFoundException(next);
}
/**
