diff --git a/SOURCES/0001-CVE-2022-42920.patch b/SOURCES/0001-CVE-2022-42920.patch
new file mode 100644
index 0000000..57db8ec
--- /dev/null
+++ b/SOURCES/0001-CVE-2022-42920.patch
@@ -0,0 +1,66 @@
+From d98245e5c808816f0ec1382ada2cb893b01101d2 Mon Sep 17 00:00:00 2001
+From: Mikolaj Izdebski <mizdebsk@redhat.com>
+Date: Thu, 1 Dec 2022 20:04:58 +0100
+Subject: [PATCH] CVE-2022-42920
+
+---
+ src/java/org/apache/bcel/classfile/ConstantPool.java | 11 +++++++++--
+ src/java/org/apache/bcel/generic/ConstantPoolGen.java | 10 +++++++++-
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/src/java/org/apache/bcel/classfile/ConstantPool.java b/src/java/org/apache/bcel/classfile/ConstantPool.java
+index 8c666cf9..267227cd 100644
+--- a/src/java/org/apache/bcel/classfile/ConstantPool.java
++++ b/src/java/org/apache/bcel/classfile/ConstantPool.java
+@@ -198,8 +198,15 @@ public class ConstantPool implements Cloneable, Node, Serializable {
+ * @throws IOException
+ */
+ public void dump( DataOutputStream file ) throws IOException {
+- file.writeShort(constant_pool_count);
+- for (int i = 1; i < constant_pool_count; i++) {
++ /*
++ * Constants over the size of the constant pool shall not be written out.
++ * This is a redundant measure as the ConstantPoolGen should have already
++ * reported an error back in the situation.
++ */
++ final int size = Math.min(constant_pool_count, Constants.MAX_CP_ENTRIES);
++
++ file.writeShort(size);
++ for (int i = 1; i < size; i++) {
+ if (constant_pool[i] != null) {
+ constant_pool[i].dump(file);
+ }
+diff --git a/src/java/org/apache/bcel/generic/ConstantPoolGen.java b/src/java/org/apache/bcel/generic/ConstantPoolGen.java
+index fd533be8..a6960e50 100644
+--- a/src/java/org/apache/bcel/generic/ConstantPoolGen.java
++++ b/src/java/org/apache/bcel/generic/ConstantPoolGen.java
+@@ -76,7 +76,7 @@ public class ConstantPoolGen implements java.io.Serializable {
+ */
+ public ConstantPoolGen(Constant[] cs) {
+ if (cs.length > size) {
+- size = cs.length;
++ size = Math.min(cs.length, Constants.MAX_CP_ENTRIES + 1);
+ constants = new Constant[size];
+ }
+ System.arraycopy(cs, 0, constants, 0, cs.length);
+@@ -156,9 +156,17 @@ public class ConstantPoolGen implements java.io.Serializable {
+ /** Resize internal array of constants.
+ */
+ protected void adjustSize() {
++ // 3 extra spaces are needed as some entries may take 3 slots
++ if (index + 3 >= Constants.MAX_CP_ENTRIES + 1) {
++ throw new IllegalStateException("The number of constants " + (index + 3)
++ + " is over the size of the constant pool: "
++ + Constants.MAX_CP_ENTRIES);
++ }
+ if (index + 3 >= size) {
+ Constant[] cs = constants;
+ size *= 2;
++ // the constant array shall not exceed the size of the constant pool
++ size = Math.min(size, Constants.MAX_CP_ENTRIES + 1);
+ constants = new Constant[size];
+ System.arraycopy(cs, 0, constants, 0, index);
+ }
+--
+2.38.1
+
diff --git a/SPECS/bcel.spec b/SPECS/bcel.spec
index 7dca4c5..682216a 100644
--- a/SPECS/bcel.spec
+++ b/SPECS/bcel.spec
@@ -1,6 +1,6 @@
Name: bcel
Version: 5.2
-Release: 18%{?dist}
+Release: 19%{?dist}
Epoch: 0
Summary: Byte Code Engineering Library
License: ASL 2.0
@@ -9,6 +9,7 @@ Source0: http://archive.apache.org/dist/commons/bcel/source/bcel-5.2-src.
# Upstream uses Maven 1, which is not available in Fedora.
# The following is upstream project.xml converted to Maven 2/3.
Source1: %{name}-pom.xml
+Patch1: 0001-CVE-2022-42920.patch
BuildArch: noarch
BuildRequires: maven-local
@@ -40,6 +41,7 @@ This package provides %{summary}.
%prep
%setup -q
+%patch1 -p1
cp -p %{SOURCE1} pom.xml
%mvn_alias : bcel:
%mvn_file : %{name}
@@ -58,6 +60,10 @@ cp -p %{SOURCE1} pom.xml
%doc LICENSE.txt NOTICE.txt
%changelog
+* Thu Dec 01 2022 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:5.2-19
+- Fix arbitrary bytecode produced via out-of-bounds writing
+- Resolves: CVE-2022-42920
+
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 05.2-18
- Mass rebuild 2013-12-27