This is an automated email from the ASF dual-hosted git repository. ggregory pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-bcel.git
commit f3fb875e6c46ba15ada4c20be18cb3881e0ac9bb Author: Gary Gregory <[email protected]> AuthorDate: Mon Jan 12 09:29:23 2026 -0500 Code.Code(int, int, int, int, byte[], CodeException[], Attribute[], ConstantPool) now throws a ClassFormatException if the code array is greater than the JVM specification allows --- src/changes/changes.xml | 1 + src/main/java/org/apache/bcel/classfile/Code.java | 2 ++ .../org/apache/bcel/classfile/ClassParserTest.java | 35 +++++++++++++++++++++ .../apache/commons/bcel/classfile/CodeCtor.class | Bin 0 -> 86 bytes 4 files changed, 38 insertions(+) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 2699912c..5fb583c3 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -68,6 +68,7 @@ The <action> type attribute can be add,update,fix,remove. <action type="fix" dev="ggregory" due-to="Gary Gregory">Exception message in Args.requireU4() refers to the wrong data type.</action> <action type="fix" dev="ggregory" due-to="Gary Gregory">Exception message in Args.requireU2() refers to the wrong upper range value.</action> <action type="fix" dev="ggregory" due-to="Gary Gregory">Code.Code(int, int, DataInput, ConstantPool) now throws a ClassFormatException if the code array is greater than the JVM specification allows.</action> + <action type="fix" dev="ggregory" due-to="Gary Gregory">Code.Code(int, int, int, int, byte[], CodeException[], Attribute[], ConstantPool) now throws a ClassFormatException if the code array is greater than the JVM specification allows.</action> <!-- ADD --> <action type="add" dev="ggregory" due-to="Gary Gregory">Add Const.MAJOR_26.</action> <action type="add" dev="ggregory" due-to="Gary Gregory">Add Const.MINOR_26.</action> diff --git a/src/main/java/org/apache/bcel/classfile/Code.java b/src/main/java/org/apache/bcel/classfile/Code.java index 9b4c02f2..86ce4b65 100644 --- a/src/main/java/org/apache/bcel/classfile/Code.java +++ b/src/main/java/org/apache/bcel/classfile/Code.java @@ -129,6 +129,7 @@ public final class Code extends Attribute { * @param exceptionTable of handled exceptions. * @param attributes Attributes of code: LineNumber or LocalVariable. * @param constantPool Array of constants. + * @throws ClassFormatException if the code array is greater than {@link Const#MAX_CODE_SIZE}. */ public Code(final int nameIndex, final int length, final int maxStack, final int maxLocals, final byte[] code, final CodeException[] exceptionTable, final Attribute[] attributes, final ConstantPool constantPool) { @@ -136,6 +137,7 @@ public final class Code extends Attribute { this.maxStack = Args.requireU2(maxStack, "maxStack"); this.maxLocals = Args.requireU2(maxLocals, "maxLocals"); this.code = ArrayUtils.nullToEmpty(code); + Args.requireU4(this.code.length, 1, Const.MAX_CODE_SIZE, "Code length attribute"); this.exceptionTable = ArrayUtils.nullToEmpty(exceptionTable, CodeException[].class); Args.requireU2(this.exceptionTable.length, "exceptionTable.length"); this.attributes = attributes != null ? attributes : EMPTY_ARRAY; diff --git a/src/test/java/org/apache/bcel/classfile/ClassParserTest.java b/src/test/java/org/apache/bcel/classfile/ClassParserTest.java new file mode 100644 index 00000000..f16d0c91 --- /dev/null +++ b/src/test/java/org/apache/bcel/classfile/ClassParserTest.java @@ -0,0 +1,35 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.bcel.classfile; + +import static org.junit.jupiter.api.Assertions.assertThrows; + +import org.junit.jupiter.api.Test; + +/** + * Tests {@link ClassParser}. + */ +class ClassParserTest { + + @Test + void testParseInvalidClass() { + assertThrows(ClassFormatException.class, () -> new ClassParser("src/test/resources/org/apache/commons/bcel/classfile/CodeCtor.class").parse()); + } +} diff --git a/src/test/resources/org/apache/commons/bcel/classfile/CodeCtor.class b/src/test/resources/org/apache/commons/bcel/classfile/CodeCtor.class new file mode 100644 index 00000000..8799986f Binary files /dev/null and b/src/test/resources/org/apache/commons/bcel/classfile/CodeCtor.class differ
