This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-bcel.git
The following commit(s) were added to refs/heads/master by this push:
new 9881d963 The size of an Attribute unknown to the JVM specification is
limited to 1 MB and is overridden with the system property
BCEL.Attribute.Unknown.max_attribute_length.
9881d963 is described below
commit 9881d9633f555c16291de2310e340cced4efb4d1
Author: Gary Gregory <[email protected]>
AuthorDate: Sun Jan 18 14:00:32 2026 -0500
The size of an Attribute unknown to the JVM specification is limited to
1 MB and is overridden with the system property
BCEL.Attribute.Unknown.max_attribute_length.
See https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7
---
src/changes/changes.xml | 5 +--
.../java/org/apache/bcel/classfile/Unknown.java | 26 ++++++++++++---
.../org/apache/bcel/classfile/UnknownTest.java | 39 ++++++++++++++++++++++
3 files changed, 64 insertions(+), 6 deletions(-)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 2f7bb72d..886ad852 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -75,8 +75,9 @@ The <action> type attribute can be add,update,fix,remove.
<action type="fix" dev="ggregory" due-to="Gary
Gregory">Code.setCode(byte[]) now throws a ClassFormatException if the code
array is greater than the JVM specification allows.</action>
<action type="fix" dev="ggregory" due-to="Gary
Gregory">ClassDumper.dump() should not call the input stream it didn't open;
fixes IOException when calling DumpClass.main(ClassDumper.java:351).</action>
<action type="fix" dev="ggregory" due-to="Gary
Gregory">org.apache.bcel.classfile.ConstantPool.ConstantPool(Constant[]) now
uses varagrs: ConstantPool(Constant...).</action>
- <action type="fix" dev="ggregory" due-to="Gary
Gregory">org.apache.bcel.classfile.Deprecated now requires its the
attribute_length item be zero. See
https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7.15.</action>
- <action type="fix" dev="ggregory" due-to="Gary
Gregory">org.apache.bcel.classfile.Synthetic now requires its the
attribute_length item be zero. See
https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7.8.</action>
+ <action type="fix" dev="ggregory" due-to="Gary
Gregory">org.apache.bcel.classfile.Deprecated now requires its the
attribute_length item be zero; see
https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7.15.</action>
+ <action type="fix" dev="ggregory" due-to="Gary
Gregory">org.apache.bcel.classfile.Synthetic now requires its the
attribute_length item be zero; see
https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7.8.</action>
+ <action type="fix" dev="ggregory" due-to="Gary Gregory,
Stanislav Fort">The size of an Attribute unknown to the JVM specification is
limited to 1 MB and is overridden with the system property
BCEL.Attribute.Unknown.max_attribute_length; see
https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7.</action>
<!-- ADD -->
<action type="add" dev="ggregory" due-to="Gary
Gregory">Add Const.MAJOR_26.</action>
<action type="add" dev="ggregory" due-to="Gary
Gregory">Add Const.MINOR_26.</action>
diff --git a/src/main/java/org/apache/bcel/classfile/Unknown.java
b/src/main/java/org/apache/bcel/classfile/Unknown.java
index 9dd07516..0a9077e3 100644
--- a/src/main/java/org/apache/bcel/classfile/Unknown.java
+++ b/src/main/java/org/apache/bcel/classfile/Unknown.java
@@ -16,6 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
+
package org.apache.bcel.classfile;
import java.io.DataInput;
@@ -24,6 +25,7 @@ import java.io.IOException;
import java.util.Arrays;
import org.apache.bcel.Const;
+import org.apache.commons.lang3.SystemProperties;
/**
* This class represents a reference to an unknown (that is,
application-specific) attribute of a class. It is instantiated
@@ -36,6 +38,13 @@ import org.apache.bcel.Const;
*/
public final class Unknown extends Attribute {
+ /**
+ * Arbitrary to limit the maximum length of unknown attributes to avoid
OOM errors.
+ */
+ static final int MAX_LEN = 1_000_000;
+
+ private static final String MAX_LEN_PROP =
"BCEL.Attribute.Unknown.max_attribute_length";
+
private byte[] bytes;
private final String name;
@@ -55,17 +64,26 @@ public final class Unknown extends Attribute {
}
/**
- * Constructs a new instance from an input stream.
+ * Constructs a new instance from a DataInput.
+ * <p>
+ * The size of an <a
href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7";>Attribute</a>
unknown to the JVM specification is
+ * limited to 1 MB and is overridden with the system property {@code
BCEL.Attribute.Unknown.max_attribute_length}.
+ * </p>
*
- * @param nameIndex Index in constant pool.
- * @param length Content length in bytes.
- * @param input Input stream.
+ * @param nameIndex Index in constant pool.
+ * @param length Content length in bytes.
+ * @param input Input stream.
* @param constantPool Array of constants.
* @throws IOException if an I/O error occurs.
+ * @see <a
href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.7";>Attribute</a>
*/
Unknown(final int nameIndex, final int length, final DataInput input,
final ConstantPool constantPool) throws IOException {
this(nameIndex, length, (byte[]) null, constantPool);
if (length > 0) {
+ if (length > SystemProperties.getInt(MAX_LEN_PROP, () -> MAX_LEN))
{
+ throw new IOException(
+ String.format("Unknown attribute length %,d > %,d; use
the %s system property to increase the limit.", length, MAX_LEN, MAX_LEN_PROP));
+ }
bytes = new byte[length];
input.readFully(bytes);
}
diff --git a/src/test/java/org/apache/bcel/classfile/UnknownTest.java
b/src/test/java/org/apache/bcel/classfile/UnknownTest.java
new file mode 100644
index 00000000..17f8ef88
--- /dev/null
+++ b/src/test/java/org/apache/bcel/classfile/UnknownTest.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.bcel.classfile;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+import java.io.DataInput;
+import java.io.IOException;
+
+import org.junit.jupiter.api.Test;
+
+/**
+ * Tests {@link Unknown}.
+ */
+class UnknownTest {
+
+ @Test
+ void testAttributeTooLarge() throws IOException {
+ final ConstantPool cp = new ConstantPool(new
ConstantUtf8("TestAttribute0"), new ConstantUtf8("TestAttribute1"));
+ assertThrows(IOException.class, () -> new Unknown(1, Unknown.MAX_LEN +
1, (DataInput) null, cp));
+ }
+}
