diff --git a/CVE-2022-22950.patch b/CVE-2022-22950.patch new file mode 100644 index 0000000000000000000000000000000000000000..89ba4768a9d6828b5ab673d77372a3507dfd65a1 --- /dev/null +++ b/CVE-2022-22950.patch @@ -0,0 +1,143 @@ +From 12c3f4129dffdc9a120419cb51dff7f7a511174c Mon Sep 17 00:00:00 2001 +From: sbrannen +Date: Tue, 1 Nov 2022 19:58:40 +0800 +Subject: [PATCH] Improve diagnostics in SpEL for large array creation +Attempting to create a large array in a SpEL expression can result in +an OutOfMemoryError. Although the JVM recovers from that, the error +message is not very helpful to the user. + +This commit improves the diagnostics in SpEL for large array creation +by throwing a SpelEvaluationException with a meaningful error message +in order to improve diagnostics for the user. + +--- + .../expression/spel/SpelMessage.java | 16 +++++++++++-- + .../spel/ast/ConstructorReference.java | 24 +++++++++++++++++-- + .../spel/ArrayConstructorTests.java | 4 ++++ + 3 files changed, 40 insertions(+), 4 deletions(-) + +diff --git a/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java b/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java +index 9a42cedb..0cf93915 100644 +--- a/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java ++++ b/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2014 the original author or authors. ++ * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -34,6 +34,7 @@ import java.text.MessageFormat; + * if it is known. + * + * @author Andy Clement ++ * @author Sam Brannen + * @since 3.0 + */ + public enum SpelMessage { +@@ -108,8 +109,19 @@ public enum SpelMessage { + NOT_ASSIGNABLE(Kind.ERROR,1068,"the expression component ''{0}'' is not assignable"), + MISSING_CHARACTER(Kind.ERROR,1069,"missing expected character ''{0}''"), + LEFT_OPERAND_PROBLEM(Kind.ERROR,1070, "Problem parsing left operand"), +- MISSING_SELECTION_EXPRESSION(Kind.ERROR, 1071, "A required selection expression has not been specified"); ++ MISSING_SELECTION_EXPRESSION(Kind.ERROR, 1071, "A required selection expression has not been specified"), + ++ /** @since 4.1 */ ++ EXCEPTION_RUNNING_COMPILED_EXPRESSION(Kind.ERROR, 1072, ++ "An exception occurred whilst evaluating a compiled expression"), ++ ++ /** @since 4.3.17 */ ++ FLAWED_PATTERN(Kind.ERROR, 1073, ++ "Failed to efficiently evaluate pattern ''{0}'': consider redesigning it"), ++ ++ /** @since 5.2.20 */ ++ MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED(Kind.ERROR, 1075, ++ "Array declares too many elements, exceeding the threshold of ''{0}''"); + + private final Kind kind; + +diff --git a/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java b/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java +index c6a25931..4ede5ac3 100644 +--- a/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java ++++ b/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2012 the original author or authors. ++ * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -47,12 +47,20 @@ import org.springframework.expression.spel.SpelNode; + * + * @author Andy Clement + * @author Juergen Hoeller ++ * @author Sam Brannen + * @since 3.0 + */ + public class ConstructorReference extends SpelNodeImpl { + + private boolean isArrayConstructor = false; + ++ /** ++ * Maximum number of elements permitted in an array declaration, applying ++ * to one-dimensional as well as multi-dimensional arrays. ++ * @since 5.2.20 ++ */ ++ private static final int MAX_ARRAY_ELEMENTS = 256 * 1024; // 256K ++ + private SpelNodeImpl[] dimensions; + + // TODO is this caching safe - passing the expression around will mean this executor is also being passed around +@@ -247,14 +255,19 @@ public class ConstructorReference extends SpelNodeImpl { + if (this.dimensions.length == 1) { + TypedValue o = this.dimensions[0].getTypedValue(state); + int arraySize = ExpressionUtils.toInt(typeConverter, o); ++ checkNumElements(arraySize); + newArray = Array.newInstance(componentType, arraySize); + } + else { + // Multi-dimensional - hold onto your hat! + int[] dims = new int[this.dimensions.length]; ++ long numElements = 1; + for (int d = 0; d < this.dimensions.length; d++) { + TypedValue o = this.dimensions[d].getTypedValue(state); +- dims[d] = ExpressionUtils.toInt(typeConverter, o); ++ int arraySize = ExpressionUtils.toInt(typeConverter, o); ++ dims[d] = arraySize; ++ numElements *= arraySize; ++ checkNumElements(numElements); + } + newArray = Array.newInstance(componentType, dims); + } +@@ -314,6 +327,13 @@ public class ConstructorReference extends SpelNodeImpl { + return new TypedValue(newArray); + } + ++ private void checkNumElements(long numElements) { ++ if (numElements >= MAX_ARRAY_ELEMENTS) { ++ throw new SpelEvaluationException(getStartPosition(), ++ SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, MAX_ARRAY_ELEMENTS); ++ } ++ } ++ + private void populateReferenceTypeArray(ExpressionState state, Object newArray, TypeConverter typeConverter, + InlineList initializer, Class componentType) { + TypeDescriptor toTypeDescriptor = TypeDescriptor.valueOf(componentType); +diff --git a/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java b/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java +index 16671155..d1ce52f8 100644 +--- a/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java ++++ b/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java +@@ -80,6 +80,10 @@ public class ArrayConstructorTests extends ExpressionTestCase { + evaluateAndCheckError("new char[3]{'a','c','d','e'}", SpelMessage.INITIALIZER_LENGTH_INCORRECT); + evaluateAndCheckError("new char[2]{'hello','world'}", SpelMessage.TYPE_CONVERSION_ERROR); + evaluateAndCheckError("new String('a','c','d')", SpelMessage.CONSTRUCTOR_INVOCATION_PROBLEM); ++ ++ int threshold = 256 * 1024; // ConstructorReference.MAX_ARRAY_ELEMENTS ++ evaluateAndCheckError("new int[T(java.lang.Integer).MAX_VALUE]", SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, 0, threshold); ++ evaluateAndCheckError("new int[1024 * 1024][1024 * 1024]", SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, 0, threshold); + } + + @Test +-- +2.27.0 + \ No newline at end of file diff --git a/springframework.spec b/springframework.spec index a6245dc215470c188f94feaefe9c5674754bee62..c4b108ce5638f7993f8e069d8031b228405504c7 100644 --- a/springframework.spec +++ b/springframework.spec @@ -1,6 +1,6 @@ Name: springframework Version: 3.2.18 -Release: 14 +Release: 15 Summary: The Spring Java Application Framework License: ASL 2.0 URL: http://projects.spring.io/spring-framework/ @@ -35,6 +35,7 @@ Patch9: springframework-3.2.18-hibernate4.3.patch Patch10: CVE-2020-5421.patch patch11: CVE-2016-5007.patch Patch12: 0001-override-abstract-method-of-ServletInputStream-and-ServletOutputStream.patch +Patch13: CVE-2022-22950.patch BuildRequires: maven-local mvn(aopalliance:aopalliance) mvn(c3p0:c3p0) mvn(com.caucho:hessian) BuildRequires: mvn(com.fasterxml.jackson.core:jackson-databind) mvn(com.h2database:h2) BuildRequires: mvn(com.jamonapi:jamon) mvn(com.rometools:rome) @@ -359,6 +360,9 @@ export JAVA_TOOL_OPTIONS="-Xmx4096m" %files web -f .mfiles-spring-web %changelog +* Mon Apr 21 2025 zhangliangpengkun - 3.2.18-15 +- DESC:fix CVE-2022-22950 + * Thu Apr 11 2024 Dingli Zhang - 3.2.18-14 - Add -Xmx4096m for riscv64