!57 [sync] PR-53: fix CVE-2022-22950

From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

CVE-2022-22950.patch

@@ -0,0 +1,142 @@
+From 12c3f4129dffdc9a120419cb51dff7f7a511174c Mon Sep 17 00:00:00 2001
+From: sbrannen
+Date: Tue, 1 Nov 2022 19:58:40 +0800
+Subject: [PATCH] Improve diagnostics in SpEL for large array creation
+Attempting to create a large array in a SpEL expression can result in
+an OutOfMemoryError. Although the JVM recovers from that, the error
+message is not very helpful to the user.
+ 
+This commit improves the diagnostics in SpEL for large array creation
+by throwing a SpelEvaluationException with a meaningful error message
+in order to improve diagnostics for the user.
+ 
+---
+ .../expression/spel/SpelMessage.java          | 16 +++++++++++--
+ .../spel/ast/ConstructorReference.java        | 24 +++++++++++++++++--
+ .../spel/ArrayConstructorTests.java           |  4 ++++
+ 3 files changed, 40 insertions(+), 4 deletions(-)
+ 
+diff --git a/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java b/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java
+index 9a42cedb..0cf93915 100644
+--- a/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java
++++ b/spring-expression/src/main/java/org/springframework/expression/spel/SpelMessage.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2014 the original author or authors.
++ * Copyright 2002-2022 the original author or authors.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -34,6 +34,7 @@ import java.text.MessageFormat;
+  * if it is known.
+  *
+  * @author Andy Clement
++ * @author Sam Brannen
+  * @since 3.0
+  */
+ public enum SpelMessage {
+@@ -108,8 +109,19 @@ public enum SpelMessage {
+ 	NOT_ASSIGNABLE(Kind.ERROR,1068,"the expression component ''{0}'' is not assignable"),
+ 	MISSING_CHARACTER(Kind.ERROR,1069,"missing expected character ''{0}''"),
+ 	LEFT_OPERAND_PROBLEM(Kind.ERROR,1070, "Problem parsing left operand"),
+-	MISSING_SELECTION_EXPRESSION(Kind.ERROR, 1071, "A required selection expression has not been specified");
++	MISSING_SELECTION_EXPRESSION(Kind.ERROR, 1071, "A required selection expression has not been specified"),
+ 
++        /** @since 4.1 */
++	EXCEPTION_RUNNING_COMPILED_EXPRESSION(Kind.ERROR, 1072,
++			"An exception occurred whilst evaluating a compiled expression"),
++
++	/** @since 4.3.17 */
++	FLAWED_PATTERN(Kind.ERROR, 1073,
++			"Failed to efficiently evaluate pattern ''{0}'': consider redesigning it"),
++
++	/** @since 5.2.20 */
++	MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED(Kind.ERROR, 1075,
++			"Array declares too many elements, exceeding the threshold of ''{0}''");
+ 
+ 	private final Kind kind;
+ 
+diff --git a/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java b/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java
+index c6a25931..4ede5ac3 100644
+--- a/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java
++++ b/spring-expression/src/main/java/org/springframework/expression/spel/ast/ConstructorReference.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2012 the original author or authors.
++ * Copyright 2002-2022 the original author or authors.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -47,12 +47,20 @@ import org.springframework.expression.spel.SpelNode;
+  *
+  * @author Andy Clement
+  * @author Juergen Hoeller
++ * @author Sam Brannen
+  * @since 3.0
+  */
+ public class ConstructorReference extends SpelNodeImpl {
+ 
+ 	private boolean isArrayConstructor = false;
+ 
++	/**
++	 * Maximum number of elements permitted in an array declaration, applying
++	 * to one-dimensional as well as multi-dimensional arrays.
++	 * @since 5.2.20
++	 */
++	private static final int MAX_ARRAY_ELEMENTS = 256 * 1024; // 256K
++
+ 	private SpelNodeImpl[] dimensions;
+ 
+ 	// TODO is this caching safe - passing the expression around will mean this executor is also being passed around
+@@ -247,14 +255,19 @@ public class ConstructorReference extends SpelNodeImpl {
+ 			if (this.dimensions.length == 1) {
+ 				TypedValue o = this.dimensions[0].getTypedValue(state);
+ 				int arraySize = ExpressionUtils.toInt(typeConverter, o);
++				checkNumElements(arraySize);
+ 				newArray = Array.newInstance(componentType, arraySize);
+ 			}
+ 			else {
+ 				// Multi-dimensional - hold onto your hat!
+ 				int[] dims = new int[this.dimensions.length];
++				long numElements = 1;
+ 				for (int d = 0; d < this.dimensions.length; d++) {
+ 					TypedValue o = this.dimensions[d].getTypedValue(state);
+-					dims[d] = ExpressionUtils.toInt(typeConverter, o);
++					int arraySize = ExpressionUtils.toInt(typeConverter, o);
++					dims[d] = arraySize;
++					numElements *= arraySize;
++					checkNumElements(numElements);
+ 				}
+ 				newArray = Array.newInstance(componentType, dims);
+ 			}
+@@ -314,6 +327,13 @@ public class ConstructorReference extends SpelNodeImpl {
+ 		return new TypedValue(newArray);
+ 	}
+ 
++	private void checkNumElements(long numElements) {
++		if (numElements >= MAX_ARRAY_ELEMENTS) {
++			throw new SpelEvaluationException(getStartPosition(),
++					SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, MAX_ARRAY_ELEMENTS);
++		}
++	}
++
+ 	private void populateReferenceTypeArray(ExpressionState state, Object newArray, TypeConverter typeConverter,
+ 			InlineList initializer, Class<?> componentType) {
+ 		TypeDescriptor toTypeDescriptor = TypeDescriptor.valueOf(componentType);
+diff --git a/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java b/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java
+index 16671155..d1ce52f8 100644
+--- a/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java
++++ b/spring-expression/src/test/java/org/springframework/expression/spel/ArrayConstructorTests.java
+@@ -80,6 +80,10 @@ public class ArrayConstructorTests extends ExpressionTestCase {
+ 		evaluateAndCheckError("new char[3]{'a','c','d','e'}", SpelMessage.INITIALIZER_LENGTH_INCORRECT);
+ 		evaluateAndCheckError("new char[2]{'hello','world'}", SpelMessage.TYPE_CONVERSION_ERROR);
+ 		evaluateAndCheckError("new String('a','c','d')", SpelMessage.CONSTRUCTOR_INVOCATION_PROBLEM);
++
++		int threshold = 256 * 1024; // ConstructorReference.MAX_ARRAY_ELEMENTS
++		evaluateAndCheckError("new int[T(java.lang.Integer).MAX_VALUE]", SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, 0, threshold);
++		evaluateAndCheckError("new int[1024 * 1024][1024 * 1024]", SpelMessage.MAX_ARRAY_ELEMENTS_THRESHOLD_EXCEEDED, 0, threshold);
+ 	}
+ 
+ 	@Test
+-- 
+2.27.0

springframework.spec

@@ -1,6 +1,6 @@
 Name:                springframework
 Version:             3.2.18
-Release:             9
+Release:             15
 Summary:             The Spring Java Application Framework
 License:             ASL 2.0
 URL:                 http://projects.spring.io/spring-framework/
@@ -35,6 +35,7 @@ Patch9:              springframework-3.2.18-hibernate4.3.patch
 Patch10:             CVE-2020-5421.patch
 patch11:	     CVE-2016-5007.patch
 Patch12:             0001-override-abstract-method-of-ServletInputStream-and-ServletOutputStream.patch
+Patch13:             CVE-2022-22950.patch
 BuildRequires:       maven-local mvn(aopalliance:aopalliance) mvn(c3p0:c3p0) mvn(com.caucho:hessian)
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-databind) mvn(com.h2database:h2)
 BuildRequires:       mvn(com.jamonapi:jamon) mvn(com.rometools:rome)
@@ -86,6 +87,7 @@ BuildRequires:       mvn(velocity-tools:velocity-tools-view) mvn(velocity:veloci
 BuildRequires:       mvn(xmlunit:xmlunit) mvn(org.apache.taglibs:taglibs-standard-jstlel)
 BuildRequires:       mvn(javax.servlet:jstl) mvn(org.apache.taglibs:taglibs-standard-spec)
 BuildRequires:       mvn(com.jayway.jsonpath:json-path) mvn(net.sf.jopt-simple:jopt-simple) xmvn
+BuildRequires:       mvn(org.sonatype.oss:oss-parent:pom:)
 BuildRequires:       jboss-jms-1.1-api jdo2-api jboss-ejb-3.1-api
 Obsoletes:           springframework-instrument-tomcat < %{version}-%{release}
 BuildArch:           noarch
@@ -161,17 +163,6 @@ Summary:             Spring OXM
 This package provide marshaling and unmarshalling
 for XML with JAXB context and JiBX binding factories.
 
-%package devel
-Summary:             Spring test context and MVC framework
-Provides:            springframework-test = %{version}-%{release}
-Provides:            springframework-test-mvc = %{version}-%{release}
-Obsoletes:           springframework-test < %{version}-%{release}
-Obsoletes:           springframework-test-mvc < %{version}-%{release}
-
-%description devel
-Spring's test MVC framework and Spring's test context framework. Also includes common Servlet and
-Portlet API mocks.
-
 %package tx
 Summary:             Spring Transaction Management
 %description tx
@@ -328,6 +319,9 @@ done
 %mvn_package :spring-project __noinstall
 
 %build
+%if "%{_arch}" == "riscv64"
+export JAVA_TOOL_OPTIONS="-Xmx4096m"
+%endif
 %mvn_build -X -f -s -- -Dproject.build.sourceEncoding=ISO-8859-1 -Dmaven.test.skip=true
 
 %install
@@ -366,6 +360,24 @@ done
 %files web -f .mfiles-spring-web
 
 %changelog
+* Sun Apr 27 2025 zhangliangpengkun <zhangliangpengkun@xfusion.com> - 3.2.18-15
+- DESC:fix CVE-2022-22950
+
+* Thu Apr 11 2024 Dingli Zhang <dingli@iscas.ac.cn> - 3.2.18-14
+- Add -Xmx4096m for riscv64
+
+* Thu Jan 04 2024 xu_ping <707078654@qq.com> - 3.2.18-13
+- remove unuse code
+
+* Thu May 18 2023 Ge Wang <wang__ge@126.com> - 3.2.18-12
+- Add build require sonatype-oss-parent
+
+* Mon Nov 21 2022 xu_ping <xuping33@h-partners.com> - 3.2.18-11
+- Modify invalid source
+
+* Tue Aug 2 2022 caodongxia <caodongxia@h-partners.com> - 3.2.18-10
+- This packages depends on log4j,release add 1 to rebuild
+
 * Thu Mar 31 2022 Ge Wang <wangge20@huawei.com> - 3.2.18-9
 - Override abstract method to solve compile failure