File bcel-CVE-2022-42920.patch of Package bcel5_3

Overview Repositories Revisions Requests Users Attributes Meta

File bcel-CVE-2022-42920.patch of Package bcel5_3

From f3267cbcc900f80851d561bdd16b239d936947f5 Mon Sep 17 00:00:00 2001
From: Richard Atkins <rjatkins359@gmail.com>
Date: Wed, 21 Sep 2022 23:18:58 +1000
Subject: [PATCH] BCEL-363 Enforce MAX_CP_ENTRIES in ConstantPoolGen and
 ConstantPool.dump (#147)

* BCEL-363 Enforce MAX_CP_ENTRIES in ConstantPoolGen and ConstantPool.dump

* BCEL-363 Add test coverage for enforced size limit

* BCEL-363 Throw IllegalStateException instead of RuntimeException

* BCEL-363 Use final
---
 .../org/apache/bcel/classfile/ConstantPool.java   | 11 +++++++++--
 .../org/apache/bcel/generic/ConstantPoolGen.java  | 11 ++++++++++-
 .../bcel/classfile/ConstantPoolTestCase.java      | 15 +++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)

Index: bcel/src/main/java/org/apache/bcel/classfile/ConstantPool.java
===================================================================
--- bcel.orig/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+++ bcel/src/main/java/org/apache/bcel/classfile/ConstantPool.java
@@ -198,10 +198,17 @@ public class ConstantPool implements Clo
      * @throws IOException
      */
     public void dump( DataOutputStream file ) throws IOException {
-        file.writeShort(constant_pool_count);
-        for (int i = 1; i < constant_pool_count; i++) {
-            if (constant_pool[i] != null) {
-                constant_pool[i].dump(file);
+        /*
+         * Constants over the size of the constant pool shall not be written out.
+         * This is a redundant measure as the ConstantPoolGen should have already
+         * reported an error back in the situation.
+        */
+        final int size = Math.min(constant_pool.length, Constants.MAX_CP_ENTRIES);
+
+        file.writeShort(size);
+        for (int i = 1; i < size; i++) {
+            if (constant_pool[i] != null) {
+                constant_pool[i].dump(file);
             }
         }
     }
Index: bcel/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
===================================================================
--- bcel.orig/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+++ bcel/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
@@ -50,14 +50,16 @@ import org.apache.bcel.classfile.Constan
  */
 public class ConstantPoolGen implements java.io.Serializable {
 
-    protected int size = 1024; // Inital size, sufficient in most cases
-    protected Constant[] constants = new Constant[size];
-    protected int index = 1; // First entry (0) used by JVM
+    private static final int DEFAULT_BUFFER_SIZE = 256;
     private static final String METHODREF_DELIM = ":";
     private static final String IMETHODREF_DELIM = "#";
     private static final String FIELDREF_DELIM = "&";
     private static final String NAT_DELIM = "%";
 
+    protected int size = DEFAULT_BUFFER_SIZE;
+    protected Constant[] constants = new Constant[size];
+    protected int index = 1; // First entry (0) used by JVM
+
     private static class Index implements java.io.Serializable {
 
         int index;
@@ -75,6 +76,8 @@ public class ConstantPoolGen implements
      * @param cs array of given constants, new ones will be appended
      */
     public ConstantPoolGen(Constant[] cs) {
+
+		size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Constants.MAX_CP_ENTRIES + 1);
         if (cs.length > size) {
             size = cs.length;
             constants = new Constant[size];
@@ -156,9 +159,18 @@ public class ConstantPoolGen implements
     /** Resize internal array of constants.
      */
     protected void adjustSize() {
+        // 3 extra spaces are needed as some entries may take 3 slots
+        if (index + 3 >= Constants.MAX_CP_ENTRIES + 1) {
+            throw new IllegalStateException("The number of constants " + (index + 3)
+                    + " is over the size of the constant pool: "
+                    + Constants.MAX_CP_ENTRIES);
+        }
+
         if (index + 3 >= size) {
             Constant[] cs = constants;
             size *= 2;
+            // the constant array shall not exceed the size of the constant pool
+            size = Math.min(size, Constants.MAX_CP_ENTRIES + 1);
             constants = new Constant[size];
             System.arraycopy(cs, 0, constants, 0, index);
         }
Index: bcel/src/test/java/org/apache/bcel/ConstantPoolTestCase.java
===================================================================
--- /dev/null
+++ bcel/src/test/java/org/apache/bcel/ConstantPoolTestCase.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.bcel.classfile;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import org.apache.bcel.AbstractTestCase;
+import org.apache.bcel.Const;
+import org.apache.bcel.generic.ConstantPoolGen;
+import org.apache.bcel.generic.InstructionHandle;
+import org.apache.bcel.generic.InstructionList;
+import org.apache.bcel.generic.MethodGen;
+import org.junit.jupiter.api.Test;
+public class ConstantPoolTestCase extends AbstractTestCase {
+    private InstructionHandle[] getInstructionHandles(final JavaClass clazz, final ConstantPoolGen cp, final Method method) {
+        final MethodGen methodGen = new MethodGen(method, clazz.getClassName(), cp);
+        final InstructionList instructionList = methodGen.getInstructionList();
+        return instructionList.getInstructionHandles();
+    }
+    @Test
+    public void testConstantToString() throws ClassNotFoundException {
+        final JavaClass clazz = getTestClass(PACKAGE_BASE_NAME + ".data.SimpleClassWithDefaultConstructor");
+        final ConstantPoolGen cp = new ConstantPoolGen(clazz.getConstantPool());
+        final Method[] methods = clazz.getMethods();
+        for (final Method method : methods) {
+            if (method.getName().equals("<init>")) {
+                for (final InstructionHandle instructionHandle : getInstructionHandles(clazz, cp, method)) {
+                    final String string = instructionHandle.getInstruction().toString(cp.getConstantPool());
+                    assertNotNull(string);
+                    // TODO Need real assertions.
+                    // System.out.println(string);
+                }
+            }
+        }
+    }
+
+    @Test
+    public void testTooManyConstants() throws ClassNotFoundException {
+        final JavaClass clazz = getTestClass(PACKAGE_BASE_NAME + ".data.SimpleClassWithDefaultConstructor");
+        final ConstantPoolGen cp = new ConstantPoolGen(clazz.getConstantPool());
+
+        int i = cp.getSize();
+        while (i < Constants.MAX_CP_ENTRIES - 1) {
+            cp.addLong(i);
+            i = cp.getSize(); // i += 2
+        }
+        assertThrows(IllegalStateException.class, () -> cp.addLong(0));
+    }
+}

Places

File bcel-CVE-2022-42920.patch of Package bcel5_3

Places