!25 Upgrade to version 6.5.0

From: @starlet-dx 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia

CVE-2022-34169.patch

@@ -0,0 +1,84 @@
+From 13bf52c8d876528a43be7cb77a1f452d29a21492 Mon Sep 17 00:00:00 2001
+From: Aleksei Voitylov <avoitylov@openjdk.org>
+Date: Mon, 30 May 2022 12:26:00 +0000
+Subject: [PATCH] 8285407: Improve Xalan supports
+
+Refer: https://github.com/openjdk/jdk11u/commit/13bf52c8d876528a43be7cb77a1f452d29a21492
+---
+ .../java/org/apache/bcel/classfile/ConstantPool.java | 12 ++++++++++--
+ .../org/apache/bcel/generic/ConstantPoolGen.java     | 12 +++++++++++-
+ 2 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+index c2926c0..cb38cbc 100644
+--- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java
++++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+@@ -22,6 +22,7 @@ import java.io.DataOutputStream;
+ import java.io.IOException;
+ 
+ import org.apache.bcel.Const;
++import org.apache.bcel.generic.ConstantPoolGen;
+ 
+ /**
+  * This class represents the constant pool, i.e., a table of constants, of
+@@ -218,8 +219,15 @@ public class ConstantPool implements Cloneable, Node {
+      * @throws IOException
+      */
+     public void dump( final DataOutputStream file ) throws IOException {
+-        file.writeShort(constantPool.length);
+-        for (int i = 1; i < constantPool.length; i++) {
++	/*
++	 * Constants over the size of the constant pool shall not be written out.
++	 * This is a redundant measure as the ConstantPoolGen should have already
++	 * reported an error back in the situation.
++	 */
++        int size = constantPool.length < ConstantPoolGen.CONSTANT_POOL_SIZE - 1 ?
++                    constantPool.length : ConstantPoolGen.CONSTANT_POOL_SIZE - 1;
++        file.writeShort(size);
++        for (int i = 1; i < size; i++) {
+             if (constantPool[i] != null) {
+                 constantPool[i].dump(file);
+             }
+diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+index 5a09e0d..6f3d508 100644
+--- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
++++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+@@ -52,6 +52,7 @@ import org.apache.bcel.classfile.ConstantUtf8;
+ public class ConstantPoolGen {
+ 
+     private static final int DEFAULT_BUFFER_SIZE = 256;
++    public static final int CONSTANT_POOL_SIZE = 65536;
+ 
+     /**
+      * @deprecated (since 6.0) will be made private; do not access directly, use getter/setter
+@@ -95,7 +96,7 @@ public class ConstantPoolGen {
+     public ConstantPoolGen(final Constant[] cs) {
+         final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE);
+ 
+-        size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64);
++        size      = Math.min(cs.length, CONSTANT_POOL_SIZE);
+         constants = new Constant[size];
+ 
+         System.arraycopy(cs, 0, constants, 0, cs.length);
+@@ -224,9 +225,18 @@ public class ConstantPoolGen {
+     /** Resize internal array of constants.
+      */
+     protected void adjustSize() {
++        // 3 extra spaces are needed as some entries may take 3 slots
++        if (index + 3 >= CONSTANT_POOL_SIZE) {
++            throw new RuntimeException("The number of constants " + (index + 3)
++                  + " is over the size of the constant pool: "
++		  + (CONSTANT_POOL_SIZE - 1));
++	}
++
+         if (index + 3 >= size) {
+             final Constant[] cs = constants;
+             size *= 2;
++            // the constant array shall not exceed the size of the constant pool
++            size       = Math.min(size, CONSTANT_POOL_SIZE);
+             constants = new Constant[size];
+             System.arraycopy(cs, 0, constants, 0, index);
+         }
+-- 
+2.27.0
+

bcel.spec

@@ -0,0 +1,55 @@
+Name:           bcel
+Version:        6.5.0
+Release:        1
+Summary:        Byte Code Engineering Library
+License:        Apache-2.0
+URL:            http://commons.apache.org/proper/commons-bcel/
+Source0:        http://archive.apache.org/dist/commons/bcel/source/bcel-%{version}-src.tar.gz
+Patch0:         CVE-2022-34169.patch
+BuildArch:      noarch
+BuildRequires:  maven-local mvn(org.apache.commons:commons-parent:pom:)
+Obsoletes:      bcel-javadoc < %{version}-%{release}
+Provides:       bcel-javadoc = %{version}-%{release}
+
+%description
+The Byte Code Engineering Library (formerly known as JavaClass) is intended to
+give users a convenient possibility to analyze, create, and manipulate (binary)
+Java class files (those ending with .class).
+
+%prep
+%autosetup -n %{name}-%{version}-src -p1
+%pom_remove_plugin :maven-source-plugin
+%pom_remove_plugin :spotbugs-maven-plugin
+%mvn_alias : bcel: apache:
+%mvn_file : %{name}
+
+%build
+%mvn_build -f
+
+%install
+%mvn_install
+
+%files
+%attr(0644,root,root) %{_datadir}/maven-metadata/bcel.xml
+%attr(0644,root,root) %{_datadir}/java/bcel.jar
+%attr(0644,root,root) %{_datadir}/maven-poms/bcel.pom
+%doc RELEASE-NOTES.txt
+%license LICENSE.txt NOTICE.txt
+%{_javadocdir}/%{name}
+
+%changelog
+* Thu Oct 20 2022 yaoxin <yaoxin30@h-partners.com> - 6.5.0-1
+- Upgrade to version 6.5.0
+
+* Fri Sep 23 2022 wangkai <wangkai385@h-partners.com> -6.4.1-2
+- Fix CVE-2022-34169 for xalan-j2
+
+* Wed Feb 16 2022 yaoxin <yaoxin30@huawei.com> - 6.4.1-1
+- When bcel is upgraded to 6.5.0,other packages that depend on bcel fail to be compiled.
+- Downgrade bcel to 6.4.1.
+
+* Wed Jan 19 2022 SimpleUpdate Robot <tc@openeuler.org> - 6.5.0-1
+- Upgrade to version 6.5.0
+
+* Thu Dec 7 2019 openEuler Buildteam <buildteam@openeuler.org> - 6.2-4
+- Package init

bcel.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: apache/commons-bcel
+tag_prefix: "commons-bcel-"
+seperator: "."