[commons-bcel] branch master updated: When parsing, limit arrays to 255 dimensions as per JVM specification

markt Tue, 22 Nov 2022 02:34:28 -0800

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-bcel.git



The following commit(s) were added to refs/heads/master by this push:
     new 7b5ac741 When parsing, limit arrays to 255 dimensions as per JVM 
specification
7b5ac741 is described below

commit 7b5ac741cb5a48e949d1c3fddce9297893f6bb90
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Nov 22 10:32:19 2022 +0000

    When parsing, limit arrays to 255 dimensions as per JVM specification
---
 src/changes/changes.xml                                |   1 +
 .../java/org/apache/bcel/classfile/ElementValue.java   |  12 +++++++++++-
 src/test/java/org/apache/bcel/OssFuzzTestCase.java     |   5 +++++
 src/test/resources/ossfuzz/issue53620/Test.class       | Bin 0 -> 227530 bytes
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 25c0b667..ecd81f27 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -104,6 +104,7 @@ The <action> type attribute can be add,update,fix,remove.
       <action                  type="fix" dev="ggregory" due-to="Gary 
Gregory">org.apache.bcel.classfile.InnerClasses constructors now throw 
ClassFormatException on invalid input.</action>
       <action                  type="fix" dev="ggregory" due-to="Gary 
Gregory">org.apache.bcel.classfile.LineNumber constructors now throw 
ClassFormatException on invalid input.</action>
       <action                  type="fix" dev="ggregory" due-to="Gary 
Gregory">org.apache.bcel.classfile.LocalVariable constructors now throw 
ClassFormatException on invalid input.</action>
+      <action                  type="fix" dev="markt" due-to="OSS-Fuzz">When 
parsing class files, limit arrays to no more than 255 dimensions as per section 
4.4.1 of the JVM specification</action>
       <!-- UPDATE -->
       <action                  type="update" dev="ggregory" due-to="Gary 
Gregory">Bump spotbugs-maven-plugin from 4.7.2.2 to 4.7.3.0 #167.</action>
       <action                  type="update" dev="ggregory" 
due-to="Dependabot">Bump jmh.version from 1.35 to 1.36 #170.</action>
diff --git a/src/main/java/org/apache/bcel/classfile/ElementValue.java 
b/src/main/java/org/apache/bcel/classfile/ElementValue.java
index 5b0d2aab..91c4c159 100644
--- a/src/main/java/org/apache/bcel/classfile/ElementValue.java
+++ b/src/main/java/org/apache/bcel/classfile/ElementValue.java
@@ -41,6 +41,11 @@ public abstract class ElementValue {
     public static final byte PRIMITIVE_BOOLEAN = 'Z';
 
     public static ElementValue readElementValue(final DataInput input, final 
ConstantPool cpool) throws IOException {
+        return readElementValue(input, cpool, 0);
+    }
+
+    public static ElementValue readElementValue(final DataInput input, final 
ConstantPool cpool, int arrayNesting)
+            throws IOException {
         final byte type = input.readByte();
         switch (type) {
         case PRIMITIVE_BYTE:
@@ -65,10 +70,15 @@ public abstract class ElementValue {
             return new AnnotationElementValue(ANNOTATION, 
AnnotationEntry.read(input, cpool, false), cpool);
 
         case ARRAY:
+            arrayNesting++;
+            if (arrayNesting > 255) {
+                // JVM spec 4.4.1
+                throw new ClassFormatException("Arrays are only valid if they 
represent 255 or fewer dimensions.");
+            }
             final int numArrayVals = input.readUnsignedShort();
             final ElementValue[] evalues = new ElementValue[numArrayVals];
             for (int j = 0; j < numArrayVals; j++) {
-                evalues[j] = ElementValue.readElementValue(input, cpool);
+                evalues[j] = ElementValue.readElementValue(input, cpool, 
arrayNesting);
             }
             return new ArrayElementValue(ARRAY, evalues, cpool);
 
diff --git a/src/test/java/org/apache/bcel/OssFuzzTestCase.java 
b/src/test/java/org/apache/bcel/OssFuzzTestCase.java
index 8944ca4b..ed012989 100644
--- a/src/test/java/org/apache/bcel/OssFuzzTestCase.java
+++ b/src/test/java/org/apache/bcel/OssFuzzTestCase.java
@@ -56,6 +56,11 @@ public class OssFuzzTestCase {
         testOssFuzzReproducer("53544a");
     }
 
+    @Test
+    public void testIssue53620() throws Exception {
+        testOssFuzzReproducer("53620");
+    }
+
     private void testOssFuzzReproducer(final String issue) throws Exception {
         final File reproducerFile = new 
File("target/test-classes/ossfuzz/issue" + issue + "/Test.class");
         try (final FileInputStream reproducerInputStream = new 
FileInputStream(reproducerFile)) {
diff --git a/src/test/resources/ossfuzz/issue53620/Test.class 
b/src/test/resources/ossfuzz/issue53620/Test.class
new file mode 100644
index 00000000..e263fcd4
Binary files /dev/null and b/src/test/resources/ossfuzz/issue53620/Test.class 
differ

[commons-bcel] branch master updated: When parsing, limit arrays to 255 dimensions as per JVM specification

Reply via email to