diff --git a/SOURCES/0001-CVE-2022-42920.patch b/SOURCES/0001-CVE-2022-42920.patch
new file mode 100644
index 0000000..4bbb9ee
--- /dev/null
+++ b/SOURCES/0001-CVE-2022-42920.patch
@@ -0,0 +1,71 @@
+From 3a4e355796891149adfd9228633f179015293dbd Mon Sep 17 00:00:00 2001
+From: Richard Atkins <rjatkins359@gmail.com>
+Date: Wed, 21 Sep 2022 23:18:58 +1000
+Subject: [PATCH] CVE-2022-42920
+
+---
+ .../org/apache/bcel/classfile/ConstantPool.java | 15 +++++++++++----
+ .../org/apache/bcel/generic/ConstantPoolGen.java | 11 ++++++++++-
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/src/main/java/org/apache/bcel/classfile/ConstantPool.java b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+index f2c946a1..77ab0da4 100644
+--- a/src/main/java/org/apache/bcel/classfile/ConstantPool.java
++++ b/src/main/java/org/apache/bcel/classfile/ConstantPool.java
+@@ -218,10 +218,17 @@ public class ConstantPool implements Cloneable, Node {
+ * @throws IOException
+ */
+ public void dump( final DataOutputStream file ) throws IOException {
+- file.writeShort(constant_pool.length);
+- for (int i = 1; i < constant_pool.length; i++) {
+- if (constant_pool[i] != null) {
+- constant_pool[i].dump(file);
++ /*
++ * Constants over the size of the constant pool shall not be written out.
++ * This is a redundant measure as the ConstantPoolGen should have already
++ * reported an error back in the situation.
++ */
++ final int size = Math.min(constant_pool.length, Const.MAX_CP_ENTRIES);
++
++ file.writeShort(size);
++ for (int i = 1; i < size; i++) {
++ if (constant_pool[i] != null) {
++ constant_pool[i].dump(file);
+ }
+ }
+ }
+diff --git a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+index fd0af47e..d3189ba4 100644
+--- a/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
++++ b/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java
+@@ -95,7 +95,7 @@ public class ConstantPoolGen {
+ public ConstantPoolGen(final Constant[] cs) {
+ final StringBuilder sb = new StringBuilder(DEFAULT_BUFFER_SIZE);
+
+- size = Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64);
++ size = Math.min(Math.max(DEFAULT_BUFFER_SIZE, cs.length + 64), Const.MAX_CP_ENTRIES + 1);
+ constants = new Constant[size];
+
+ System.arraycopy(cs, 0, constants, 0, cs.length);
+@@ -224,9 +224,18 @@ public class ConstantPoolGen {
+ /** Resize internal array of constants.
+ */
+ protected void adjustSize() {
++ // 3 extra spaces are needed as some entries may take 3 slots
++ if (index + 3 >= Const.MAX_CP_ENTRIES + 1) {
++ throw new IllegalStateException("The number of constants " + (index + 3)
++ + " is over the size of the constant pool: "
++ + Const.MAX_CP_ENTRIES);
++ }
++
+ if (index + 3 >= size) {
+ final Constant[] cs = constants;
+ size *= 2;
++ // the constant array shall not exceed the size of the constant pool
++ size = Math.min(size, Const.MAX_CP_ENTRIES + 1);
+ constants = new Constant[size];
+ System.arraycopy(cs, 0, constants, 0, index);
+ }
+--
+2.38.1
+
diff --git a/SPECS/bcel.spec b/SPECS/bcel.spec
index b2b4967..50805e8 100644
--- a/SPECS/bcel.spec
+++ b/SPECS/bcel.spec
@@ -1,6 +1,6 @@
Name: bcel
Version: 6.4.1
-Release: 8%{?dist}
+Release: 9%{?dist}
Summary: Byte Code Engineering Library
License: ASL 2.0
URL: http://commons.apache.org/proper/commons-bcel/
@@ -8,6 +8,8 @@ BuildArch: noarch
Source0: http://archive.apache.org/dist/commons/bcel/source/bcel-%{version}-src.tar.gz
+Patch1: 0001-CVE-2022-42920.patch
+
BuildRequires: maven-local
BuildRequires: mvn(org.apache.commons:commons-parent:pom:)
@@ -35,6 +37,7 @@ This package provides %{summary}.
%prep
%setup -q -n %{name}-%{version}-src
+%patch1 -p1
%pom_remove_plugin :maven-source-plugin
@@ -55,6 +58,10 @@ This package provides %{summary}.
%license LICENSE.txt NOTICE.txt
%changelog
+* Thu Dec 01 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 6.4.1-9
+- Fix arbitrary bytecode produced via out-of-bounds writing
+- Resolves: CVE-2022-42920
+
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 6.4.1-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688