Address upstream BCEL vulnerability CVE-2022-42920

Fixes #192.

See GHSA-97xg-phpr-rg8q.
See https://issues.apache.org/jira/browse/BCEL-363.
See apache/commons-bcel#147.

Signed-off-by: Alexander Kriegisch <Alexander@Kriegisch.name>

bcel-builder/src/main/java/org/aspectj/apache/bcel/classfile/ConstantPool.java

@@ -59,6 +59,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import com.sun.org.apache.bcel.internal.Const;
 import org.aspectj.apache.bcel.Constants;
 import org.aspectj.apache.bcel.generic.ArrayType;
 import org.aspectj.apache.bcel.generic.ObjectType;
@@ -288,8 +289,14 @@ public Constant[] getConstantPool() {
 	} // TEMPORARY, DONT LIKE PASSING THIS DATA OUT!
 
 	public void dump(DataOutputStream file) throws IOException {
-		file.writeShort(poolSize);
-		for (int i = 1; i < poolSize; i++)
+		/*
+		 * Constants over the size of the constant pool shall not be written out.
+		 * This is a redundant measure as the ConstantPoolGen should have already
+		 * reported an error back in the situation.
+		 */
+		final int size = Math.min(poolSize, Const.MAX_CP_ENTRIES);
+		file.writeShort(size);
+		for (int i = 1; i < size; i++)
 			if (pool[i] != null)
 				pool[i].dump(file);
 	}
@@ -417,9 +424,19 @@ public int addClass(String classname) {
 	}
 
 	private void adjustSize() {
-		if (poolSize + 3 >= pool.length) {
+    // 3 extra spaces are needed as some entries may take 3 slots
+    if (poolSize + 3 >= Const.MAX_CP_ENTRIES + 1) {
+      throw new IllegalStateException(
+        "The number of constants " + (poolSize + 3) +
+        " is over the size of the constant pool: " + Const.MAX_CP_ENTRIES
+      );
+    }
+    if (poolSize + 3 >= pool.length) {
 			Constant[] cs = pool;
-			pool = new Constant[cs.length + 8];
+			int size = cs.length + 8;
+			// the constant array shall not exceed the size of the constant pool
+			size = Math.min(size, Const.MAX_CP_ENTRIES + 1);
+			pool = new Constant[size];
 			System.arraycopy(cs, 0, pool, 0, cs.length);
 		}
 		if (poolSize == 0)